top | item 36621972

(no title)

> Inexperienced folks won’t know better.

I've seen answers like this in Stack Overflow before. Technically correct, but basically broken in every other way: cybersecurity's future is gonna be interesting.

discuss

scarface_74|2 years ago

One of my pet peeves about almost every answer on Stack Overflow is that the answer always starts with

    client=boto3.client(<service>, access-key,secret-key)

There is never a reason to include those last two parameters. It’s always a security risk no matter how you do it.

jacurtis|2 years ago

For that matter, using an access-key or secret-key at all is basically an anti-pattern now.

In the past few months AWS has added to their UI a popup box that asks you why you are creating access keys, it makes you answer it before generating the keys. Once you give it the answer it tells you better ways to do almost anything you're trying to do, and you have to agree to ignore those suggestions one more time before actually generating the keys.

Basically the standard access keys are really of no use anymore. You should be using roles, OIDC, IAM Identity Center, cognito federated identities, or something else. There are a million ways to identify yourself that are more secure than that and I wish tutorials stopped assuming that you should generate access keys because in no practical 2023 use case should you be doing that anymore. Especially not in any sort of sensitive or corporate environment.

klysm|2 years ago

This is great example, and I think it’s a smaller version of the same problem.