anonymous tip!

This commit is contained in:
R Tyler Croy 2021-01-19 12:05:17 -08:00
parent d0e2ca4dd1
commit a757147dc7
No known key found for this signature in database
GPG Key ID: E5C92681BEF6CEA2
1 changed files with 22 additions and 0 deletions

View File

@ -103,6 +103,28 @@ Finally, I created an IAM user for the integration tests. This IAM user has a
single IAM policy attached to it, listed out above. I then took the AWS access
key and secret key ID for the IAM user and checked those into Git.
**2021-01-19 update:** An anonymous reader points out:
_Certain AWS APIs cannot be disabled via IAM, [including
which in turn allows anyone with the public credentials to run the AWS
equivalent of `whoami`:_
% AWS_PROFILE=rtyler aws sts get-caller-identity
"Account": "547889645515",
"Arn": "arn:aws:iam::547889645515:user/deltars-ro"
_AWS account numbers and IAM user ARNs are not especially privileged but be
aware that publishing access keys has a side effect of disclosing those too._
## Boom goes the dynamite