And please for the love of all that is secure, use IAM roles. Even for your personal things. it's not that hard and you can stop things like this from happening even with the auth credentials.
You can use AWS IAM (https://aws.amazon.com/iam/) to help prevent something like this. AFAIK you can create a sub-account that only has access to specific resources, such as S3, and use the keys from that sub-account.
I haven't used it much, but it looks like you can be very specific in what you allow, such as only allowing access to a single bucket with S3, or a single domain with SES.
You totally can be very specific about what actions and services an IAM key has access to. The permissions model takes a bit to get your head around (It did me, at least) but once you do, you can have very strict, precise permissions for your keys.
amazon has limits that take time to increase, which has me scratching my head - we've always had to put in a support ticket whenever moving past those limits, for instance the 50 server limit we reached.
> I learned a valuable lesson here though. Don’t trust .gitignores and gems like Firago for keeping your data safe. Open source is awesome, but if you are dealing with anything that can be scaled up to thousands of dollars per hour – at least store it in a private repo if not on your local machine.
You learned the wrong thing :-P The lesson here is "always check what you're committing"
As an additional layer of safety, you can also commit to a local repo, or a private bitbucket repo, and give it all a nice once over before pushing everything to GH. At least this keeps your screw ups out of public scope.
Isn't that what you're doing anyways when you use a DCVS? Granted, I use mercurial. It has two components on your side, your working directory, and the actual repo. Committing moves changes from your working directory, and saves them to a branch on your local repo. Then you get the local repo to push that change to a remote one.
In essence, "committing" then is the act of pushing your changes to your local repo. Or you could, you know, just look at the changes on disk if really required.
1. Use IAM roles. AWS keys should only have access to the specific functionality they need. Best practice is to never use your root credentials for anything; always use IAM users and use unique keys for each use case, so that you can invalidate and replace them easily. Every time documentation or a tutorial asks you to insert AWS keys, your response should be "let me go create a role for that" rather than "let me go look those up".
2. More importantly, if you ever accidentally publish or leak credentials, don't try to clean it up by deleting those commits. Invalidate the credentials immediately and re-issue them.
3. Always, always `git diff HEAD` before committing. Know what you're about to push up. This isn't just a security concern - the number of small, stupid things you'll catch that you'd otherwise end up fixing 15 seconds later is substantial. As a bonus, this incentivizes you to keep your commits small and atomic.
You might talk to Amazon directly - they've been known to forgive debts like these in these kinds of circumstances.
> You might talk to Amazon directly - they've been known to forgive debts like these in these kinds of circumstances.
They did:
> Lucky for me, I explained my situation to Amazon customer support – and they knew I wasn’t bitcoin mining all night. Amazon was kind enough to drop the charges this time…
On HN I recall the title originally including the $2300 (which matched the blog post's title). Now the HN title does not include the $ amount. Did the mods make that change? I would think preserving the source's title would generally take precedence even if a bit misleading.
I'm nearly certain it did, which is in line with submission guidelines; certainly the title led to our mutual confusion. I do not know how/if titles can be edited.
Huge +1 for #3. Saves my ass all the time. I usually stage the changes I think I want to commit and use `git diff --staged` to confirm before I commit.
I like that better - I think I'll start using it. I usually end up staging the stuff I want to commit and reverting the stuff I don't, but that offers better flexibility. Thanks!
Call me unsophisticated, but I personally find it extremely helpful to use a GUI (currently using SourceTree) to interactively review changes before committing. I use the command line for almost everything else, but this is one of those cases where a nice GUI really seems to shine.
That's how I work these days as well. SourceTree for commits, especially if I just want to stage hunks instead of whole files. Command line for everything else.
Funny, I ended up with SourceTree because it seemed like a clean and simple (well, at least when I started with it), but still having all the tools I needed, alternative. Sure, it has gotten a bit more complex, but the basic functionality (as I see it: diff, stage, commit, push, pull, branch management) feels simple to me.
Could you explain what parts of it you don't like? Also, could you link to git gui? I tried to Google it, but didn't really get good results (shockingly, all the other Git GUI programs came up...).
It just seemed so confusing compared to the other tools I mentioned, and it would try to do all this extra stuff for you automatically (i.e. adding weird extra arguments to the git commands and I had no idea what they did)
Ah, the weird extra arguments is something that I had noticed as well. And I have to admit, with some shame, that I have not taken the time to look into why.
My workflow is primarily raw CLI (no aliases, no github extensions, etc). I have vim configured as my primary editor and my .vimrc has the vim-git plugin (https://github.com/tpope/vim-git) loaded so I can enforce 50-char summary and 72-char line-wrapping.
SourceTree for visualizing branches and for staging individual lines from a hunk in a finer grained fashion than `add -p` allows. Occasionally for branch maintenance when an interactive visual list is useful.
gitk for loading partial histories (eg. --author options, pickaxe option), visualizing complex branch arrangements that make SourceTree choke, anytime I need performance to search back many months.
I also use Vim and Fugitive, but instead of using a GUI I use `vimdiff` as my Git mergetool and difftool. You can use `git difftool` instead of `git diff` and your diffs will open in `vimdiff`. This also goes for any other diff programs which take command-line arguments, like some GUI programs, FWIW...
Try the GitHub app (which works with non-github git repos as well). It's feature list is TINY compared to SourceTree, its pretty and has a very easy to use commit interface.
I really really really wish that GitHub's application worked on Linux. Linux is seriously missing a lot of nice GUI applications that OSX and Windows get. Actually, Linux is missing a lot of nice convenient things that Windows and OSX have. It's all technically possible on Linux, but it's intentionally left difficult (or "advanced") for no reason that I can tell. Just the other day I was trying to install Lua on a Linux machine for the first time. Lua for Windows comes as a single installer that includes Lua, over a dozen batteries-included libraries, and a text editor. To get that on Linux, you have to yum install lua, install luarocks from source, then luarocks install every library you want to have.
The only reason Linux is nicer for certain kinds of programming is because Bash and the GNU utils are so great. But why bother when there's a world of people making things so easy and smooth for Windows?
I'm with you on this as well. I attempt to make small localized changes, thus `git diff` usually suffices. However if I forget to commit often, or end up doing a big refactor, I will use SourceTree to aid in inspecting the diff. Additionally, I find staging hunks much more intuitive via a GUI than the command line.
tig[1] is another really nice tool to check the diff while on the working branch. It shows things like what branch different remotes are on and a nice tree of what has happened on the source tree (merges, pull requests, etc.)
Heroku doesn't require any Github account - that's the beauty of git :)
That said, I'd still argue that you should practice defense-in-depth; plan for "this is how I'll limit damage when someone gets ahold of these credentials" rather than "Nobody will get these, so I can do dangerous things with them".
It's the same argument behind "don't do things as root unless you have no other choice"; trading security for convenience works really nicely right up to the point where you get your teeth kicked in.
+1 - Even if you are using a private repo within your company, committing credentials is foolishness. It's trivial for someone to intentionally or unintentionally leak them, or abuse them.
And personally, I've found that it's just good practice to exercise those kinds of precautions for "throw-away" projects regardless of their "throw-away" status. It keeps you honest.
About IAM... I worked with that a LOT a couple of years ago. It's interesting but quite the rabbit hole of configurations and permissions.
I used to be an AWS fanatic and got burned. Unless you need to scale up on the spot (and have the time to code management of that) it's a huge waste of time for no good price. EC2 instances have dismal performance.
Just get decent servers somewhere. For most scenarios it's hard to max out a server nowadays, if you program decently. You have to do that for AWS 10x anyways, IMHE. The cloud is a black hole of developer time and problems.
On top of that it's stupid to put data in US when you are a foreign company, you are open game for 3 letter agencies no questions asked.
I really have to wonder about the amount of time to setup your own servers. I like to setup and tweak hardware for fun. But the time and starting costs seems way too much compared to spinning up a few instances to get something going quickly. Looking around here, San Francisco bay area, I can't find any way to host a server as inexpensively and as quickly as I can on the cloud. Plus there are lots of alternatives to AWS which promise better performance.
BTW, tweaking around with servers can also be a major time sink.
In addition to git diff, I suggest git add -p and git diff --cached to enhance visibility of changes. I alias them to short mnemonics in my bash configs.
If you do just "git diff" it will show you the diff between the index (staging area) and your working tree. If you do "git diff HEAD" it will show you the difference between the latest commit and your working tree, that is, it includes the diff in the staging area.
Hell, even without making the mistake of publishing keys, I've accidentally run up quite large bills for Amazon services; backups that failed to remove old copies was a big one. Instances that were supposed to have been shut down, but for some reason it didn't happen (I don't know if this is my mistake or a bug at Amazon...probably my mistake).
I've simply stopped using Amazon for anything tinkery, because the costs of making mistakes can be tremendous. At least when I make mistakes on my own colocated server, I know it can never cost me more than the $100/month I pay to host it. And, storage is practically infinite (4TB hard disks), and I can spin up more VMs than I would ever need for tinkering in 32GB of RAM on our "spare" server.
And, when I have needed to use VM with some cloud host...Linode and Digital Ocean and similar may have dramatically smaller toolsets for managing virtual resources than Amazon (probably unworkably so for large deployments), but my mind has a much easier time predicting costs than with Amazon. After being surprised on more than one occasion with a ~$300 bill from Amazon (for running nothing but personal pet projects with no economic return), I turned everything off.
Something similar has happened to me, on a smaller scale. I was recently checking my bank account, and noticed a charge from AWS for something like $15. After further investigation, I had apparently been charged this $15 for about 6 months.
Hmm.
Logging into AWS and checking the Cost Explorer showed that I had been charged for a t1.small EC2 instance I had running, but when I logged into the AWS console, all I saw was a single "stopped" instance. There's no way I was being charged for cycles I'm not using, right?
Turns out that the instance I was being charged for was in us-west, and I had only been looking at us-east- and there is no indication within the actual EC2 panel that you have instances in other regions!
Not sure why you didn't click on "Billing & Cost Management" where you can see a complete breakdown (by resource and region) of exactly what you are being charged for.
I don't know about the previous commenter, and I don't know if the tools have improved, but when I tried to use the billing and cost management page, I couldn't figure out what was actually costing so much. It broke it down into (EC2, S3, etc.), but I couldn't figure out how that mapped out to the bill (i.e. was it the snapshots of my instances, the storage for the not running instances, the old backups in S3, etc.). It didn't seem like it was telling me "exactly" what I was being charged for.
For me, when I saw a $300 bill for one running EC2 instance, a couple of halted ones, and a few hundred GB of storage for something I thought of as a "toy" project that I didn't want to invest serious time or money in, I knew I was done with AWS. A small colocated server could readily provide those resources for vastly less money (and I work on tools to manage cloud and VM resources, including a reasonably good API for spinning them up and down and such, so I don't really miss the Amazon API or UI). This was after I'd already gotten a shock from an automated backup gone wrong that ran up a huge bill. So, it took me a couple of times getting burned.
Of course, it's always been my fault for not understanding how Amazon bills for things, what services cost money (i.e. a down instance still costs money), how much things cost, and sometimes how the API works (or at least confirming that it's doing what I think it's doing, in the case of removing old backups). I'm not blaming Amazon. I'm just saying, I don't trust myself to use Amazon for anything that I'm not going to spend a lot of time and energy on, because I'm obviously not capable of using it without making mistakes when I treat it like a toy. I readily admit I shot myself in the foot; Amazon just provided the guns.
Almost the exact same story here. I never thought to change the region to see what was causing a $3 charge every month, and at $3 I didn't have the energy to investigate further until about a year of needling frustration built up and I reached out to Amazon support directly and they clued me in.
Years later I'm using AWS professionally, and it all seems easy now. But when you are first introduced to AWS and want to kick the tires on a toy project, it can be confusing and overwhelming.
+1 on this. I have several instances running in US East and Ireland. When you login it just shows the instances for 1 region (usually us-east) and I have a quick "oh shit" moment wondering what happened to the Ireland servers. The AWAS EC2 console really needs a way to show all instances.
When I setup an AWS account for pet projects the very first thing I do is create a billing alarm that alerts me the second my bill goes above $0. This way if something is accidentally running without my knowledge, ill get an alert (email / sms) and can quickly take action.
For applications I've opted to use Heroku due to its simplicity when compared to EC2. I'm still working out the static storage though. I was impressed by Amazon customer support, so I may stay around. Simply renting a VPS somewhere is another option.
are there any major companies providing co-location or is it kindof a diverse scene? im curious about it but only really know about cloud VM... basically just looking for a site where i can read about one of these services / pricing plan. my main questions are about bandwidth -- for one company i freelance for, the majority portion of their bill is s3 IO and it would be huge for them to get to a capped pricing model even if speed suffers
tried googling but it doesnt seem so straight-forward... i like the idea though.
Colo can be confusing. There are large companies that have their own data centers (sometimes dozens of data centers) and many small companies that often bundle and re-sell services. I currently use CoreXchange, which is now owned by Zayo. I chose them partly because they are pretty close to me; I'm in Austin, the data center I'm hosted in is in Dallas. They have pretty clear pricing on their website and their connectivity and service is good and fast. But, there are many, many, good providers out there. I would check in your area (assuming you're in an area that has good backbone access; most large cities do), first.
There are cheaper providers and more expensive providers...sometimes, it can be hard to tell whether you get what you pay for, without actually trying it. But, most of the big colo providers have been discussed online at Web Hosting Talk or other places. When getting new service, I usually check WHT first for deals in my local area in a good data centers. Sometimes, for low bandwidth (where low bandwidth may mean something still kinda huge, like several terabytes of transfer per month) a reseller may be the best deal. Sometimes, going straight to the provider is the best choice. I ended up a CoreXchange by way of a deal from ColoUnlimited.
The good thing about going this route is that ongoing costs are somewhat lower, generally speaking, though up front costs are much higher (~$3000 for a server, for example). And, costs can be predicted with high precision. You can simply say, "I want this much bandwidth." and that's what they'll give you and bill you for. You're pretty much just paying for power and bandwidth when you're in a colo; all the other stuff is up to you (hardware upgrades, replacements, etc. either need to be done via shipping gear in and out or by going on-site to make the changes).
The bad thing about going this route is that it's all on you. This isn't "managed" hosting (though they do have staff on-hand, and you can usually pay for "remote hands" to handle system upgrades and such, it tends to be very pricey for anything more than simple reboots). And, scaling is non-trivial. In the bad old days, if you had a site get crazy popular overnight, you had to figure out how to get more servers online on short notice...maybe missing an opportunity to grow and blowing your shot at a good first impression on new users. AWS and other cloud services are much more readily scalable. But, there's no reason you can't build with scaling in mind, and use cloud services for elasticity while using colocated servers for your baseline service. That's how we do for our business stuff. If we suddenly need more servers online, we spin them up via Amazon or Google Compute Engine (the software I work on supports several cloud providers, as well as building cloud infrastructure out of heterogeneous servers, so this is not much different than managing VMs on our own hardware and we can move websites and such back and forth across our own machines and AWS VMs reasonably easily).
Agreed. But the discussion here on Github is pretty good and tells us that it's happened to quite a lot of people. So the headline might be a bit sensational, but it's a real problem.
definitely. but he's blaming it on learning rails in a way. this is coming from someone who did this at one of their jobs. i accidentally committed AWS keys, and we had dozens of servers launched on our account in minutes. was insane.
Having root credentials is sufficient, and based on the fact that this guy said "apparently the s3 api lets you spin up ec2 instances" it looks like he didn't touch IAM.
Root credentials are deprecated, but can still be used and if this guy used them then yes, his billing alarms could have been disabled.
There's a difference between an admin iam user (can't do billing stuff) and the root credentials (just as powerful as username / password).
Maybe they should send an email/SMS to notify you that email/SMS had been disabled. (And, an email/SMS to the old address when the email/SMS is changed too.)
Yours is a great observation! With great power comes great responsibility. If you find that you got great power but don't feel you got great responsibility, then chances are you are doing it wrong.
If the criminals can create a bot to scan for AWS keys, I wonder if github can't create a plugin to detect the same and warn the committer or maybe limit access to this data to original committer only. It won't be 100% but I bet the bots aren't 100% either, so if it covers most of the cases it would still be useful.
Or maybe just have a script on local github pre-commit hook?
Nobody said it was their responsibility. If adding an optional feature that prevents you from shooting yourself in the foot makes people like github more, maybe it's worth it to them. "Responsibility" has nothing to do with it.
> Maybe you should rethink your policy either way.
Do you have articles discussing the cons of AWS keys in private repos?
We deploy our systems on vanilla EC2 instances, which are configured by using a server orchestration system (Ansible). So for any env variables to get set, we'd have to put them in config scripts, which are currently checked into github.
To make it clear, we only check in our IAM keys that are AWS service specific, like SES.
It is thinking like this that leads companies from being awesome. I've known a couple people in real life that this has happened to. It is stupid and wasteful.
It's not an obligation, but neither is running a free git repository :) It would be a nice help though. One that can save some people $2k - not many software features have this kind of immediate impact :)
> It won't be 100% but I bet the bots aren't 100% either
Bots having tons of false positives doesn't really matter (except to the bot maker, maybe). But GitHub having tons of false positives means customers get annoyed by false alerts, locked data, whatever.
I don't think people will be upset to get an "WARNING: You might have committed a secret" if it's a negative.
You might be right if it really is a ton, but then you work on your algorithm. I think the problem is so big that there really do need to be warnings for these kind of issues.
Removing such suspicious actions from public /events API and other APIs would probably have minimal effect but have the bots that feed from those not see it. Just one of the possibilities :)
This happened to me and I was immediately emailed by AWS with an auto-generated support case: "Your AWS account ### is compromised". The emails outlined next steps like: check for unauthorized usage, delete/rotate the key, etc.
Damn! I know one thing for sure after reading this, I am not even trying AWS until I really really know what I am doing. For now I'll stick with VirtualBox and DigitalOcean.
$100/mo cap would save a lot of these accounts from being hacked. My mistake was not unique, and if you browse around on Google you will find other authors who have had the same issues.
For Amazon it is certainly possible, imo. They just don't do it, AFAIK. An alert that you might or might not get is obviously not as reliable as a hard limit.
I used some app to upload a 250GB archive to Amazon Glacier. Turns out the app was having difficulties uploading it all at once, and its queue functionality sucked. I explained this to Amazon, since they were suggesting that I use that app to begin with. Turns out I ended up using terabytes of data usage just getting everything up to Glacier because the app was faulty. They tried to bill me something like $1500, but I never paid for it and just had my data removed immediately.
I used some app to upload a 250GB archive to Amazon Glacier. Turns out the app was having difficulties uploading it all at once, and its queue functionality sucked. I explained this to Amazon, since they were suggesting that I use that app to begin with. Turns out I ended up using terabytes of data usage just getting everything up to Glacier because the app was faulty. They tried to bill me something like $1500, but I never paid for it and just had my data removed immediately.
I'm not at all surprised to learn of bots cruising github looking for keys. I think a good lesson is that if you ever accidentally expose your API key - revoke or delete them immediately and generate new key.
I've said this before, but AWS billing support is usually quite sympathetic to your situation if you've made a mistake. They've dropped $120 in spot instance charges I had which went way over what I expected.
I'm surprised no one else mentioned the Heroku mistake of putting config in a file instead of an environment variables. Settings like API keys should always be in env vars on Heroku, not in a config file.
The same thing happened to me.
Almost exactly. Rails again. S3 bucket for images. Following along with 1monthrails this time. Pushed the key, fell asleep, awoke to Amazon warnings and a $2000+ bill. Also removed.
I wonder how often this happens. Are they mining bitcoins?
Because they can make money much faster with litecoin.
To illustrate this, EC2 GPU instances have a NVIDIA Kepler GK104 with 1536 cores, so that is like the GTX680. It gets 120 MHash/s on bitcoin, which translates to 2 cents per month.
It gets 207 kHash/s on litecoin, which translates to 32 cents per month.
I think on vertcoin you could get 90 cents per month.
Why doesn't an account automatically come with, let's say, a $100/mo default cap. And also a $25/day default cap. Someone playing around would just leave those defaults alone and thereby not wind up looking like a total fool.
Using Wikipedia for a guide, a micro instance only costs $0.013 per hour. An instance with 30 GiB memory and 8 cores only costs $1.00 per hour. So the cap numbers I suggested would work fine for many people.
For some reason Amazon allows people to shoot themselves in the foot too easily. Yes, they usually? waive the charges, but it seems like such a waste of resources, overall. It wouldn't be so bad if bitcoin mining were more profitable. But $1000 spent at Amazon probably mines $10 or less in bitcoin. What a waste of energy.
And what would the action be when that limit is reached? Terminate all your EC2 instances? Delete your objects from S3/Glacier? Destroy all your RDS/DynamoDB/SDB tables? Disable your CloudFront CDN assets? Stop returning DNS answers from Route 53?
This blog genre would then be "Amazon deleted all my stuff and ruined my business because they didnt think I'd pay $26". As the story notes they tried to reach out multiple times using multiple contacts. There are also existing
tools for setting up specific billing alerts if you really want to take some action at $26.
171 comments
[ 4.1 ms ] story [ 241 ms ] threadI haven't used it much, but it looks like you can be very specific in what you allow, such as only allowing access to a single bucket with S3, or a single domain with SES.
I use a specific key for only allowing DNS updates to be applied to "example.com" and no other domain, for example.
As others have mentioned the billing alerts are also a useful thing, along with the IAM Simulator.
You learned the wrong thing :-P The lesson here is "always check what you're committing"
I realize I haven't always followed this advice myself. So the reminder from the OP story is useful.
In essence, "committing" then is the act of pushing your changes to your local repo. Or you could, you know, just look at the changes on disk if really required.
1. Use IAM roles. AWS keys should only have access to the specific functionality they need. Best practice is to never use your root credentials for anything; always use IAM users and use unique keys for each use case, so that you can invalidate and replace them easily. Every time documentation or a tutorial asks you to insert AWS keys, your response should be "let me go create a role for that" rather than "let me go look those up".
2. More importantly, if you ever accidentally publish or leak credentials, don't try to clean it up by deleting those commits. Invalidate the credentials immediately and re-issue them.
3. Always, always `git diff HEAD` before committing. Know what you're about to push up. This isn't just a security concern - the number of small, stupid things you'll catch that you'd otherwise end up fixing 15 seconds later is substantial. As a bonus, this incentivizes you to keep your commits small and atomic.
You might talk to Amazon directly - they've been known to forgive debts like these in these kinds of circumstances.
They did:
> Lucky for me, I explained my situation to Amazon customer support – and they knew I wasn’t bitcoin mining all night. Amazon was kind enough to drop the charges this time…
I prefer to always "git commit -v", which shows me the diff while I edit the commit message.
Could you explain what parts of it you don't like? Also, could you link to git gui? I tried to Google it, but didn't really get good results (shockingly, all the other Git GUI programs came up...).
It just seemed so confusing compared to the other tools I mentioned, and it would try to do all this extra stuff for you automatically (i.e. adding weird extra arguments to the git commands and I had no idea what they did)
My workflow is primarily raw CLI (no aliases, no github extensions, etc). I have vim configured as my primary editor and my .vimrc has the vim-git plugin (https://github.com/tpope/vim-git) loaded so I can enforce 50-char summary and 72-char line-wrapping.
I use other clients for special purposes:
Fugitive (https://github.com/tpope/vim-fugitive) primarily for git blame while working.
SourceTree for visualizing branches and for staging individual lines from a hunk in a finer grained fashion than `add -p` allows. Occasionally for branch maintenance when an interactive visual list is useful.
gitk for loading partial histories (eg. --author options, pickaxe option), visualizing complex branch arrangements that make SourceTree choke, anytime I need performance to search back many months.
https://mac.github.com or https://windows.github.com
The only reason Linux is nicer for certain kinds of programming is because Bash and the GNU utils are so great. But why bother when there's a world of people making things so easy and smooth for Windows?
I like Sourcetree for history and diffs, but it's CLI all the way for commits.
[1] https://github.com/jonas/tig
Seems like the best lesson learned is keep personal work personal, use private repos if using GitHub.
That said, I'd still argue that you should practice defense-in-depth; plan for "this is how I'll limit damage when someone gets ahold of these credentials" rather than "Nobody will get these, so I can do dangerous things with them".
It's the same argument behind "don't do things as root unless you have no other choice"; trading security for convenience works really nicely right up to the point where you get your teeth kicked in.
and use least privilege to make sure that if you do screw up it's as minor as possible.
And personally, I've found that it's just good practice to exercise those kinds of precautions for "throw-away" projects regardless of their "throw-away" status. It keeps you honest.
I used to be an AWS fanatic and got burned. Unless you need to scale up on the spot (and have the time to code management of that) it's a huge waste of time for no good price. EC2 instances have dismal performance.
Just get decent servers somewhere. For most scenarios it's hard to max out a server nowadays, if you program decently. You have to do that for AWS 10x anyways, IMHE. The cloud is a black hole of developer time and problems.
On top of that it's stupid to put data in US when you are a foreign company, you are open game for 3 letter agencies no questions asked.
BTW, tweaking around with servers can also be a major time sink.
I've simply stopped using Amazon for anything tinkery, because the costs of making mistakes can be tremendous. At least when I make mistakes on my own colocated server, I know it can never cost me more than the $100/month I pay to host it. And, storage is practically infinite (4TB hard disks), and I can spin up more VMs than I would ever need for tinkering in 32GB of RAM on our "spare" server.
And, when I have needed to use VM with some cloud host...Linode and Digital Ocean and similar may have dramatically smaller toolsets for managing virtual resources than Amazon (probably unworkably so for large deployments), but my mind has a much easier time predicting costs than with Amazon. After being surprised on more than one occasion with a ~$300 bill from Amazon (for running nothing but personal pet projects with no economic return), I turned everything off.
Hmm.
Logging into AWS and checking the Cost Explorer showed that I had been charged for a t1.small EC2 instance I had running, but when I logged into the AWS console, all I saw was a single "stopped" instance. There's no way I was being charged for cycles I'm not using, right?
Turns out that the instance I was being charged for was in us-west, and I had only been looking at us-east- and there is no indication within the actual EC2 panel that you have instances in other regions!
I was a bit perturbed, to say the least...
For me, when I saw a $300 bill for one running EC2 instance, a couple of halted ones, and a few hundred GB of storage for something I thought of as a "toy" project that I didn't want to invest serious time or money in, I knew I was done with AWS. A small colocated server could readily provide those resources for vastly less money (and I work on tools to manage cloud and VM resources, including a reasonably good API for spinning them up and down and such, so I don't really miss the Amazon API or UI). This was after I'd already gotten a shock from an automated backup gone wrong that ran up a huge bill. So, it took me a couple of times getting burned.
Of course, it's always been my fault for not understanding how Amazon bills for things, what services cost money (i.e. a down instance still costs money), how much things cost, and sometimes how the API works (or at least confirming that it's doing what I think it's doing, in the case of removing old backups). I'm not blaming Amazon. I'm just saying, I don't trust myself to use Amazon for anything that I'm not going to spend a lot of time and energy on, because I'm obviously not capable of using it without making mistakes when I treat it like a toy. I readily admit I shot myself in the foot; Amazon just provided the guns.
Years later I'm using AWS professionally, and it all seems easy now. But when you are first introduced to AWS and want to kick the tires on a toy project, it can be confusing and overwhelming.
http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/...
tried googling but it doesnt seem so straight-forward... i like the idea though.
There are cheaper providers and more expensive providers...sometimes, it can be hard to tell whether you get what you pay for, without actually trying it. But, most of the big colo providers have been discussed online at Web Hosting Talk or other places. When getting new service, I usually check WHT first for deals in my local area in a good data centers. Sometimes, for low bandwidth (where low bandwidth may mean something still kinda huge, like several terabytes of transfer per month) a reseller may be the best deal. Sometimes, going straight to the provider is the best choice. I ended up a CoreXchange by way of a deal from ColoUnlimited.
The good thing about going this route is that ongoing costs are somewhat lower, generally speaking, though up front costs are much higher (~$3000 for a server, for example). And, costs can be predicted with high precision. You can simply say, "I want this much bandwidth." and that's what they'll give you and bill you for. You're pretty much just paying for power and bandwidth when you're in a colo; all the other stuff is up to you (hardware upgrades, replacements, etc. either need to be done via shipping gear in and out or by going on-site to make the changes).
The bad thing about going this route is that it's all on you. This isn't "managed" hosting (though they do have staff on-hand, and you can usually pay for "remote hands" to handle system upgrades and such, it tends to be very pricey for anything more than simple reboots). And, scaling is non-trivial. In the bad old days, if you had a site get crazy popular overnight, you had to figure out how to get more servers online on short notice...maybe missing an opportunity to grow and blowing your shot at a good first impression on new users. AWS and other cloud services are much more readily scalable. But, there's no reason you can't build with scaling in mind, and use cloud services for elasticity while using colocated servers for your baseline service. That's how we do for our business stuff. If we suddenly need more servers online, we spin them up via Amazon or Google Compute Engine (the software I work on supports several cloud providers, as well as building cloud infrastructure out of heterogeneous servers, so this is not much different than managing VMs on our own hardware and we can move websites and such back and forth across our own machines and AWS VMs reasonably easily).
Lesson 2: When using AWS then use Billing Alarms[1].
It takes about 1 minute to setup and enables e-mail or SMS notifications at dollar-thresholds of your choice.
[1] http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/...
Root credentials are deprecated, but can still be used and if this guy used them then yes, his billing alarms could have been disabled.
There's a difference between an admin iam user (can't do billing stuff) and the root credentials (just as powerful as username / password).
Perhaps one lesson here aside from keeping keys outside of public repositories is to learn how an API works (IAM, arns, etc) before using it.
I have learned that if this is the case, I'm doing something wrong with my AWS setup.
Or maybe just have a script on local github pre-commit hook?
Also how do you differentiate an AWS root key (bad) vs an IAM Key (good)?
In my circles, at least, it's standard practice to use environment variables.
But I would think clearly it'd be an option.
Do you have articles discussing the cons of AWS keys in private repos?
We deploy our systems on vanilla EC2 instances, which are configured by using a server orchestration system (Ansible). So for any env variables to get set, we'd have to put them in config scripts, which are currently checked into github.
To make it clear, we only check in our IAM keys that are AWS service specific, like SES.
Bots having tons of false positives doesn't really matter (except to the bot maker, maybe). But GitHub having tons of false positives means customers get annoyed by false alerts, locked data, whatever.
You might be right if it really is a ton, but then you work on your algorithm. I think the problem is so big that there really do need to be warnings for these kind of issues.
I was very surprised/impressed.
$100/mo cap would save a lot of these accounts from being hacked. My mistake was not unique, and if you browse around on Google you will find other authors who have had the same issues.
Adding environment variables to a file is just a convenience.
I wonder how often this happens. Are they mining bitcoins?
To illustrate this, EC2 GPU instances have a NVIDIA Kepler GK104 with 1536 cores, so that is like the GTX680. It gets 120 MHash/s on bitcoin, which translates to 2 cents per month.
It gets 207 kHash/s on litecoin, which translates to 32 cents per month.
I think on vertcoin you could get 90 cents per month.
If I remember well you could make a few hundred bucks a month with just one high end ATI graphic card.
Why doesn't an account automatically come with, let's say, a $100/mo default cap. And also a $25/day default cap. Someone playing around would just leave those defaults alone and thereby not wind up looking like a total fool.
Using Wikipedia for a guide, a micro instance only costs $0.013 per hour. An instance with 30 GiB memory and 8 cores only costs $1.00 per hour. So the cap numbers I suggested would work fine for many people.
For some reason Amazon allows people to shoot themselves in the foot too easily. Yes, they usually? waive the charges, but it seems like such a waste of resources, overall. It wouldn't be so bad if bitcoin mining were more profitable. But $1000 spent at Amazon probably mines $10 or less in bitcoin. What a waste of energy.
This blog genre would then be "Amazon deleted all my stuff and ruined my business because they didnt think I'd pay $26". As the story notes they tried to reach out multiple times using multiple contacts. There are also existing tools for setting up specific billing alerts if you really want to take some action at $26.