AWS Security Blog

An Instructive Tale About Using IAM Best Practices

An interesting blog post came to our attention recently—My $500 Cloud Security Screw-up by Rich Mogull. He describes how he learned to adhere to several important AWS security principles through several unfortunate events.   Mike Pope, senior technical writer for AWS Identity, paraphrases the post here.


Rich had inadvertently leaked his AWS access keys, allowing some unauthorized users to launch EC2 instances within his account for their own nefarious purposes. Fortunately, AWS Support alerted him and he was able to disable the keys very quickly. It’s fascinating to read how an innocent error caused the problem, how he mitigated the problem, and about the forensics he used to determine what happened.

This story gives us an opportunity to reiterate some of our AWS best practices:

  • Don’t use root account keys. Instead, create IAM users, give them least-privilege permissions, and use IAM user access keys for all AWS access.
  • Never share or reveal your keys. (To be clear, Rich thought he’d scrubbed the keys out of his code before posting it, and missed them only because they were in a commented-out line.)
  • Consider security at all stages of an application life cycle, starting from the very beginning.
  • Rotate keys often.
  • Use CloudWatch to watch for spikes in your AWS charges.
  • Use AWS CloudTrail to log access to your account resources

Kudos to Rich for sharing his story as a security lesson for all AWS developers to learn from.   Read the AWS Security Best Practices white paper or watch the IAM’s Best Practices video for more details.