AWS Access Keys on GitHub Public Repo

Well, it finally happened. After years of playing fast and loose with API keys on GitHub, I’ve been hacked.

I woke up to an unusually large billing alarm from my AWS account. Since, the code running on this account was storing almost no data I thought this was a bit odd. So I logged in to my billing account and redirected to the service center to submit a claim and found this:

Screenshot from 2017-07-12 13-27-39

Well, the temporary limiting of my account didn’t appear to help much. The hacker had created about 20 m3.2xlarge EC2 instances and a 35gb snapshot for every. single. region. available on AWS (Mumbai, Tokyo, Ireland, the list goes on and on), using the keys I uploaded to GitHub.  Needless to say, I spent this morning terminating all the EC2 instances, clearing the security groups, and deleting the public key from the account.  Sounds like a blast right?

The funny thing is, the chunk of commented out code holding the keys was only a quick test written months ago, that I never used again, which is why I forgot it even existed in the code.

This was back when I was still learning the ropes. Now, whenever I need an API key, I immediately put it into a JSON file, and add that JSON file to the .gitignore for the project, so I don’t have to worry about this stuff while pushing and pulling.  I’ve heard there are better tools out there for storing ssh keys, but I’m curious if there are any for API keys.  If anyone has any suggestions I’d love to hear them in the comments.

I submitted a claim to get a refund for the charges, we’ll see what happens.

UPDATE

The charges racked up by the hacker ended up being $1100 by the time I managed to kill all the instances!  I’ve since received this from Amazon AWS

Screenshot from 2017-07-13 09-37-46

Thank God from Amazon’s customer support.  The hack was obviously my own fault, but they’re still willing to cover the costs.

Advertisements

One thought on “AWS Access Keys on GitHub Public Repo

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s