Summation blog

My AWS Credentials Got Abused, and their Response Made me a Customer for Life

My AWS Credentials Got Abused, and their Response Made me a Customer for Life

Basil Omari's photo
Basil Omari
·

4 min read

Featured on Hashnode

We primarily rely on AWS for hosting the cloud version of Summation , even though we've previously used both Google Cloud & Azure as well for various other projects. Our decision to do so has very little to do with features or cost, and everything to do with our prior experience with AWS support.

Amazon has a Reputation for being 'cheap'

Amazon has a bit of a reputation for being cheap; you've probably heard of the story about Jeff Bezos using an old door as his desk when he first started the company. Not much has changed in that regard, apparently; investor Jason Calcanis railed on about how cheap AWS was for a good 3 minutes on a recent podcast episode. Based on my experience, however, it seems like this frugality may only apply internally, not to their customers.

The Email No Developer Ever wants to Receive

A few years ago, a friend who was the CTO of a startup asked if I could help them prototype some computer vision code. I didn't have much time available, but I thought I could hack something together pretty quickly, and after a few days of testing I put the code onto Github and sent them the link. It wasn't production code, so I hadn't bothered to use environment variables to store the credentials - and that was my downfall. A few days later, I received the following message in my inbox:

aws_compromised.png

The $1,000 Bill

After logging into AWS and updating the credentials, I went to the EC2 console to see if someone had actually started any servers using my credentials. As it happens, this was just around the time Bitcoin was heating up, and so I was greeted with a list of 20+ beefy EC2 instances (the 4xlarge ones) running. I scrambled to shut everything down, and then headed over to the billing console to see what the damage was. I don't recall the exact amount, but it was just above $1,000... oops! fail

The Response from AWS

I was consoling myself with the prospect of having to pay this bill out of my own pocket, when AWS informed me that I shouldn't worry about the bill - they were taking care of it.

What? I wasn't some huge customer, I was just an individual developer. Any other company would have happily told me that I was responsible for ensuring my credentials stay safe, and that I'm liable for any charges billed to my account. If I wouldn't have paid, they would have sent it to a collections agency.

But not Amazon. Because Jeff says it's a customer-first company, and unlike most worthless HR values, they seem to actually mean it.

AWSCloud