IAM, released in late 2010, allows AWS users to make keys for specific jobs — like uploading to your production S3 bucket, reading (not writing) messages to a queue or starting a new database server.

It’s awesome as it allows one to create keys based on principle of least privilege.

Mechanical Turk doesn’t support it.

The recent Circle CI and Mongo HQ incidents prompted us to look again at our own infrastructure. Mechanical Turk’s lack of support for decent access management turned out to be the biggest flaw — and we can’t fix it.

At Rainforest we push a lot of jobs through Mechanical Turk, so I contacted our account manager asking them to find out;

1. When IAM is going to be supported
2. What the current best practice for securing the master keys is

I got back —

We don’t currently support IAM, and while it could be something that we add in the future, I’m not able to give you any sort of confirmation or timeframe for when the feature would be available.

Additionally, while we don’t have specific best practices for securing master keys, here are some best practices that could be helpful related to key rotation, etc.

If you have more specific questions related to securing master keys, I’m happy to help address them for you.

Key rotation. Yes, it’s a good practice, but no it’s not helpful if your master keys are compromised.