SEGA Europe’s AWS credentials were open to everyone – Computer – News

Why do you assume they use TerraForm? You also have AWS CDK and Cloudformation. So maybe AWS Guard use? Then your rules are also much easier to read and remember and you can make the output human readable: “file h has resource x with property y with value z which is not in list q of allowed values ​​/ does not meet the allowed pattern R “. And AWS Config / ControlTower, because even large companies still have departments that make manual adjustments.

But all those tools don’t look at the uploaded content in an S3 bucket.
So this problem would not occur.

You can also https://www.clamav.net/ run in a lambda container and run it automatically with every new or changed file. Via tags and AWS iam you can ensure that only files that have been approved are publicly accessible.

This way you at least prevent the potential impact of an attack. But even then you don’t check whether there are credentials in the files on S3.

You can still block known file extensions (the same via tagging), and possibly add a pattern recognition next to a virus scanner (like those gitleaks but for your new / updated S3 file), but it also ends somewhere.

[Reactie gewijzigd door djwice op 31 december 2021 13:18]

–