Saw someone on Reddit lose $86k from a compromised AWS account. I've heard way too many stories like this — misconfigured IAM, tokens in repos, no billing alerts...<p>If you're on a small team, how are you actually protecting yourself from stuff like this? Is there a sane setup that works without needing a full-time AWS security person?
Gotta look at your monthly bill every day.<p>I've been wondering about the question of "where did the web go?" and how even technically savvy people have given up on blogging for behavioral sinks like Medium.<p>Part of the story is that $50 a month dedis have given way to the "free" plan on AWS or a system that costs $10 a month to run if you're not successful but has no upper bound on the bills if you are successful. So if you make a blog you are praying every night that you don't make it to the front of Hacker News and that you don't build up a large following because boy those egress charges will add up. People are furious now that they are getting eaten alive by the egress costs run up by AI bots but 10 years ago I was thinking "Boy Bing crawls my site twice as hard as Google and sends 5% of the traffic and Chinese webcrawlers crawl my site 5x harder than Google and send me no detectable traffic."
They look at code on stackoverflow and the web that initializes the SDK resources that have you explicitly put the access key and secret key in code.<p>For instance, the correct way to initialize the s3 client in Python is<p><pre><code> s3 = boto3.client('s3')
</code></pre>
The SDK will automatically get the credentials that are configured locally within your environment or the IAM role attached to your Lambda, EC2 instance, Docker (ECS, EKS) container runner etc.<p>Your access keys <i>never</i> need to be part of your repository.
<a href="https://old.reddit.com/r/aws/comments/1jupura/just_got_compromised_with_over_86k_and_completely" rel="nofollow">https://old.reddit.com/r/aws/comments/1jupura/just_got_compr...</a> - this post you're referring to?