Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I was one of those people bitten by this last night. My client called and told me he was getting access denied when trying to upload files through his CMS. After some digging I found the S3 key had been revoked. This was concerning, as I hadn't touched the CMS code I wrote in like 3 years and I've had issues deploying old stuff to Heroku in the past. I really wish MongoHQ had contacted me first about revoking the keys.


We're very sorry about this, we went into a little bit of a panic when we realized that we held IAM credentials that gave full access to peoples' EC2 accounts and did what we thought was best. In hindsight, we should have gotten ahold of Amazon immediately and let them manage that process.


Best practice would be to create an IAM user for each purpose rather than sharing the same AWS key across all of your apps, for this exact reason


At the time this project was put together, IAM didn't exist. But I agree that this would be the best approach going forward.


Yes, for this reason, and because having separate keys allows you set appropriate access controls limited to the function they are being used for.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: