I wondered how long it would take to find someone else’s Amazon web services credentials accidentally posted on the internet.
With the right credentials one could take full control of an Amazon cloud computing account. This could well be the keys to a complete IT infrastructure; a company’s live websites, customer data, the very lifeblood of the business itself. Data backups are often stored in the same AWS accounts. Access to such keys have allowed nefarious gangs to completely destroy stable and reliable companies1 in the process of extorting money from them.
One would assume, then, that such keys are kept very, very safe. However, human nature sometimes drives complacency. It took me 5 minutes of searching to find AWS keys accidentally placed on the internet.
Once these keys are lost there is a chance that they could be used by whoever finds them to, for example, create machines to mine for bitcoins. The potential exposure caused by this could be larger than on might think. Resources are limited by account quotas, which can be increased or decreased by account holders. Users often increase these levels on accounts to make sure they don’t run into quota issues when creating stacks of machines. Unchecked AWS use can easily run up crippling costs, very quickly.
Naturally, I didn’t use the AWS account keys I found, but alerted the company in question to their security breach. They thanked me, and that was that. I wonder if they really knew the dangers they had exposed themselves to.