I've been using AWS for about 60 days, primarily with Route 53 and SES, but now I'm setting up a site to sell stock images and videos. I'm utilizing a script from CodeCanyon called GoStock that allows for cloud storage, and I chose AWS S3. I've properly set it up with one IAM user linked to a specific bucket and limited to one Access Key and Secret Key. I've kept the key CSV safe locally and haven't opened my site to the public yet, but I noticed a warning from AWS after roughly 5 weeks of use. The email indicated that my access key might have been exposed to a third party and contained the event "GetCallerIdentity" among other details. I'm curious what this event means and what the third party might have been after. Any insights would be appreciated!
4 Answers
I’m not familiar with that event, but hardcoding IAM user keys in scripts isn't recommended. Instead, using IAM roles can be more secure since they automatically rotate your keys.
The event "GetCallerIdentity" is pretty basic in AWS. It allows you to see which credentials are active. No permissions are needed for it, so it's often the first check hackers do when they get their hands on leaked keys. They probably wanted to validate the keys before trying to execute more advanced actions. It's good that you limited access, but you should review your security setup to prevent this from happening again.
Thanks for the insights! I’m starting to think the developer I worked with might not be someone I can trust with secret keys. After all, it was just the two of us who could access the key used on the site.
It's crucial to know where your scripts are hosted. Sometimes, keys can unintentionally get uploaded if included in a commit. Double-check your setup to make sure that's not the case!
There was a recent incident involving npm packages that were stealing secrets from users' systems. If either you or the developer used Node, that could explain the potential exposure.