What happens if you accidentally commit your AWS access token to public GitHub?

Selvaganesh
Nov 15, 2017 · 4 min read

On 10th Oct 2017 i was trying to set up AWS sdk using javascript in my free tier account.

After my successful usage of AWS services accidentally committed accessKeyId ,secretAccessKey & region information to public git.

after 2 hours usually i used to check EC2 dashboard suddenly i came to know 20 instances running that too with static IP allocation in Ohio region i got shocked and terminated all my instances .

Then to make sure i checked in other regions whether any instances activated or not,yes there too 20 instances were running.So in all 15 regions 20 instances were running that means 20 x 15 = 300 virtual machines were running with my knowledge.Yeah its a hack to perform bitcoin mining.

So what really happened here when ever you accidentally committed any auth token or secret parameters to your git it will be automatically fetch by the bots that running on any where in the world.

How can bots find my exact token when there are billions of projects available on github. One way by using Github search API’s anyone can query into repository,commits,code,users by passing a query

In my case i have saved my token in config file with parameter name as accessKeyId, bots might have written a query like below.

https://api.github.com/search/code?q=accessKeyId

So once it started to hit result may get as successful response along with our actual key that they wanted to hack.

Then by using aws sdk’s intruders started to create a EC2 high power machine using programs in few seconds.We will not get notified whether machine got activated or not we will be the looser.

First thing make sure that you have terminate all the instances from all regions.

Check number of running instance in all regions

Then delete your IAM Access Key Go to services > IAM

Delete small cross on right of row

After doing this you can secure from intruder.

But one of the good thing in there is a good bot GitGuardian that was sending me an email stating that AWS key commit is detected.

Mail that i received from git gaurdian

After reading this mail i deleted that entire project which i pushed in public repo.

Make sure that you when ever not using SDK detach policy from groups from IAM page

So how to secure own AWS account,below i have mentioned some best way to protect your keys in production.

Don’t Hard code AWS Credentials anywhere in the code,it is clearly mentioned in official documentation

Mentioned in AWS Docs

First Way

  1. Load your credentials from shared credentaisl files
  • Linux users: ~/.aws/credentials
  • Windows users: C:\Users\USER_NAME\.aws\credentials
aws_access_key_id = <YOUR_ACCESS_KEY_ID>
aws_secret_access_key = <YOUR_SECRET_ACCESS_KEY>

2. Load it from Environment variable

Before committing your code it is advice to run git secrets

Second way

git-secrets scans commits, commit messages, and --no-ff merges to prevent adding secrets into your git repositories. If a commit, commit message, or any commit in a --no-ff merge history matches one of your configured prohibited regular expression patterns, then the commit is rejected.Read here how to set up git secrets

https://github.com/awslabs/git-secrets

For more detailed explanation and for other ways read official documentation here

Bill amount i was supposed to pay was $4439.58 USD

Other Links

  1. https://rhinosecuritylabs.com/penetration-testing/aws-security-vulnerabilities-and-the-attackers-perspective/
  2. https://www.theregister.co.uk/2015/01/06/dev_blunder_shows_github_crawling_with_keyslurping_bots/

Selvaganesh

Written by

I try to learn and help others by sharing what I find | https://www.youtube.com/user/ganeshrsg | https://github.com/ganny26

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade