“When you access AWS programmatically, you verify your identity and the identity of your applications by using an access key. An access key consists of an access key ID (something like AKIAIOSFODNN7EXAMPLE) and a secret access key (something like wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY),” it’s explained in AWS’ Best Practices for Managing AWS Access Keys document.
“Anyone who has your access key has the same level of access to your AWS resources that you do. Consequently, we go to significant lengths to protect your access keys, and in keeping with our shared-responsibility model, you should as well.”
But some users have been lax when it comes to protecting their keys.
“We’ve seen a couple cases where customers accidentally uploaded their root access keys to public code repositories, so we recommend minimizing your security surface area by deleting (or not creating) root access keys altogether,” they noted in a recent blog post.
The keys are easily discoverable via a simple GitHub search and, according to Ty Miller, founder of penetration testing firm Threat Intelligence, almost 10,000 of them can currently be found on the popular hosting service for software projects.
As he explained to IT News Australia, he did the search and tested one of the unearthed keys in order to see whether he can access the AWS account and mess with it.
And he did - he uploaded and then deleted a file from the account. He says he could have done much worse. “If these are developers who are creating applications for corporations and the corporations AWS keys are leaked - you could potentially go in and delete their entire environment,” he pointed out.