top | item 25836947

(no title)

ashearer | 5 years ago

Good to know that AWS is so fast to detect this.

If good uses were common—and I'm struggling to come up with them—AWS could suppress the alert for IAM users that were already sufficiently locked down. But since that would become dangerous if the permissions were loosened later, AWS would wind up creating two classes of keys, public and non-public, in order to know whether to warn about loosening restrictions. Simpler just to forbid making keys public.

To publish such a key anyway without having to go to the trouble of unwinding an AWS auto-quarantine, breaking it up in code (like "part1" + "part2") might be enough to foil the AWS bot. Can anyone confirm?

discuss

Znafon|5 years ago

It's actually GitHub that contacts AWS even before the commit finishes being sent to GitHub so it is indeed very fast.

paultopia|5 years ago

Really? If Github is already detecting credentials that reliably, I wonder why they don't just switch repositories to temporarily private and e-mail the account owner themselves...?