305 Followers
·
Follow

What happens if you accidentally commit your AWS access token to public GitHub?

On 10th Oct 2017 i was trying to set up AWS sdk using javascript in my free tier account.

After my successful usage of AWS services accidentally committed accessKeyId ,secretAccessKey & region information to public git.

after 2 hours usually i used to check EC2 dashboard suddenly i came to know 20 instances running that too with static IP allocation in Ohio region i got shocked and terminated all my instances .

Then to make sure i checked in other regions whether any instances activated or not,yes there too 20 instances were running.So in all 15 regions 20 instances were running that means 20 x 15 = 300 virtual machines were running with my knowledge.Yeah its a hack to perform bitcoin mining.

So what really happened here when ever you accidentally committed any auth token or secret parameters to your git it will be automatically fetch by the bots that running on any where in the world.

How can bots find my exact token when there are billions of projects available on github. One way by using Github search API’s anyone can query into repository,commits,code,users by passing a query

In my case i have saved my token in config file with parameter name as accessKeyId, bots might have written a query like below.

https://api.github.com/search/code?q=accessKeyId

So once it started to hit result may get as successful response along with our actual key that they wanted to hack.

Then by using aws sdk’s intruders started to create a EC2 high power machine using programs in few seconds.We will not get notified whether machine got activated or not we will be the looser.

First thing make sure that you have terminate all the instances from all regions.

Image for post
Image for post
Check number of running instance in all regions

Then delete your IAM Access Key Go to services > IAM

Image for post
Image for post
Delete small cross on right of row

After doing this you can secure from intruder.

But one of the good thing in there is a good bot GitGuardian that was sending me an email stating that AWS key commit is detected.

Image for post
Image for post
Mail that i received from git gaurdian

After reading this mail i deleted that entire project which i pushed in public repo.

Make sure that you when ever not using SDK detach policy from groups from IAM page

Image for post
Image for post
Image for post
Image for post

So how to secure own AWS account,below i have mentioned some best way to protect your keys in production.

Don’t Hard code AWS Credentials anywhere in the code,it is clearly mentioned in official documentation

Image for post
Image for post
Mentioned in AWS Docs

First Way

  1. Load your credentials from shared credentaisl files
  • Linux users: ~/.aws/credentials
  • Windows users: C:\Users\USER_NAME\.aws\credentials

2. Load it from Environment variable

Before committing your code it is advice to run git secrets

Second way

git-secrets scans commits, commit messages, and --no-ff merges to prevent adding secrets into your git repositories. If a commit, commit message, or any commit in a --no-ff merge history matches one of your configured prohibited regular expression patterns, then the commit is rejected.Read here how to set up git secrets

https://github.com/awslabs/git-secrets

For more detailed explanation and for other ways read official documentation here

Bill amount i was supposed to pay was $4439.58 USD

Image for post
Image for post

Other Links

  1. https://rhinosecuritylabs.com/penetration-testing/aws-security-vulnerabilities-and-the-attackers-perspective/
  2. https://www.theregister.co.uk/2015/01/06/dev_blunder_shows_github_crawling_with_keyslurping_bots/

Written by

I try to learn and help others by sharing what I find | https://www.youtube.com/user/ganeshrsg | https://github.com/ganny26

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store