Well, if you are hacked, you're not liable for the fraudulent charges anyway (in the U.S.... mileage may vary elsewhere). Your CC company will charge it back, in the unlikely event that Amazon didn't take care of it on their own initiative (which they almost certainly would... as another poster noted, they have a good reputation in that area).
I interpreted "doing something silly" as "firing up 10,000 instances and forgetting to shut them back down", rather than fraud.
Has that been a common problem for AWS users? I'm not asking to be snide, I honestly don't know. I just haven't heard a lot about that happening.
Something else to keep in mind... Amazon have a reputation for being pretty good about issuing refunds in situations where people rack up large bills due to various kinds of accidents. There are a number of such stories in old HN posts, and my own experience was very favorable: I setup a couple of big instances for a demo at a conference, and then a week or two later had a heart attack, and didn't get around to shutting down the instances until about 3 months later. I wound up getting billed several thousand dollars, but Amazon had no problem issuing me a refund. YMMV, of course.
The problem people have is that when they generate an API key they grant that key "everything" even account management stuff. Instead of giving it the least privilege needed to accomplish whatever it is that it does.
Then they'll inadvertently upload it to e.g. GitHub or similar in some source code and bad guys have bots which will steal it then make use of your account for all kinds of evil purposes.
Having things like 2F on your main account (which you should) won't save you from this. And if you go to bed, by the time you wake up the account charges could be in the tens of thousands even with billing alerts.
Turing_Machine|10 years ago
I interpreted "doing something silly" as "firing up 10,000 instances and forgetting to shut them back down", rather than fraud.
autotune|10 years ago
mindcrime|10 years ago
Something else to keep in mind... Amazon have a reputation for being pretty good about issuing refunds in situations where people rack up large bills due to various kinds of accidents. There are a number of such stories in old HN posts, and my own experience was very favorable: I setup a couple of big instances for a demo at a conference, and then a week or two later had a heart attack, and didn't get around to shutting down the instances until about 3 months later. I wound up getting billed several thousand dollars, but Amazon had no problem issuing me a refund. YMMV, of course.
Someone1234|10 years ago
The problem people have is that when they generate an API key they grant that key "everything" even account management stuff. Instead of giving it the least privilege needed to accomplish whatever it is that it does.
Then they'll inadvertently upload it to e.g. GitHub or similar in some source code and bad guys have bots which will steal it then make use of your account for all kinds of evil purposes.
Having things like 2F on your main account (which you should) won't save you from this. And if you go to bed, by the time you wake up the account charges could be in the tens of thousands even with billing alerts.