What Happened When One of My AWS Keys Was Leaked

Key

On Thursday I gave a workshop at DjangoCon Europe on deploying a Django application on AWS Lambda. I gave participants a Git repository to clone and temporary AWS keys to individual, restricted IAM users on my Workshops AWS account.

In the interest of saving time, I set up the Ansible playbook to include the access key id and secret access key as in-line variables:

vars:
  aws_access_key: ''
  aws_secret_key: ''

This wasn't the smartest idea, as it put secrets into a file tracked by Git.

After the workshop, one of my participants committed and pushed this to their public GitHub fork. (My fault for not warning them!)

Within minutes, I received a call from AWS. I didn’t answer it, since I was in another conference talk and didn’t recognize the number.

I checked the voicemail afterwards. It told me to check the support centre on my AWS account (identifying it by the last 4 digits of the account number). There, I found this message:

AWS Support Centre message telling me about the detected leak

(Yes, the IAM user was ‘giraffe’ - each participant got a different animal!)

Thankfully, I’d secured the account already by removing all the temporary workshop resources. My account was also protected by the restrictive IAM policy attached to the users, which only allowed participants to redeploy their copy of the application.

I received a follow-up email when I deleted the user:

AWS email that user was deleted

It’s amazing customer support that they have this system running and respond so quickly to leaks. Thank you AWS for helping keep us customers secure!

If your Django project’s long test runs bore you, I wrote a book that can help.

Subscribe via RSS, Twitter, Mastodon, or email:

One summary email a week, no spam, I pinky promise.

Tags: