Production AWS keys on GitHub

I did a quick check and found a few people with their Rails App's secret token on display in config/initialisers/secret_token.rb. I guess most people reading this will already be aware but it's in the same vein as the AWS keys problem linked. Make sure this stuff hasn't been left in your public repos.

If you use EC2, you can use IAM roles and your server can fetch temporary credentials from AWS. There's no need for your application to even know your AWS credentials.

Read more: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles...

I recommend putting your app's API keys into environment variables instead of configuration files for this reason.

I was charged over $1696.00 in AWS Usage fees for putting my production AWS keys on GitHub. So think twice before you put any production keys out there, for the whole world to see. UPDATE: As spydertennis mentioned, I also had 15 Double XL EC2 instances running in multiple regions.

It would be interesting to have an application that Googles regularly this kind of sensitive information and tells you if it showed up somewhere public.

Of course it would need a full list of your sensitive keys and password, which it practice would be quite dangerous...

What exactly happens when someone takes advantage of these keys?

Is it considered as "hacking", ie is the offender's Amazon account terminated? or is it "fair" in the sense that those credentials were willingly made public?

https://github.com/search?p=1&q=Stripe.api_key+%22sk_live%22... #facepalm

I got hacked a month ago because of this mistake. Someone initiated 15 heavy duty aws instances on my account. Luckily aws support noticed the huge increase in billing and called me to confirm. Now my github is private haha.

I did this once in a gist by mistake - meant to remove them before submitting it. Luckily someone spotted it and let me know so I could kill the access key.