> So your criticism of "this is a non-problem -- everybody's just using it wrong" sounds pretty lame.
I don't follow your argument.
Perhaps let me try with simpler example.
I'll tell you my credit card PIN number is 7341.
Following your line of argument, you'll stand there screaming until you're blue in the face: "that's a secret credential leak, your card is compromised".
To which I say: "well, my card is in my wallet, and my wallet is in my pocket, so watcha' gonna' do with that PIN number chum ?"
So its the same with AWS.
I could tell you one of my access keys is AKIA3CWKZKKGZLHN and its secret access key is QOF0yG/lvqqAcklAHCDzPKRtk9D5oPnY.
But watcha gonna do with it ? Try logging in ? To what ? And even if you knew which AWS service, even with just low-hanging fruit security layers of IP range restrictions and time-gating you still won't get anywhere. Once we start adding extra layers such as roles and STS on top, then frankly you're more likely to win the jackpot on the lotto twice in a row.
I do get what you're saying. And yes, a credential leak is not _equivalent_ to a compromise. And yes, if you're doing things well, it won't be. (Although I think most people would say one of your layers of defense is breached and one ought to rotate the credentials, right? Otherwise, why have the credentials at all?) I think that's an important, somewhat tangential point.
Maybe we came to this with different assumptions? My going-in assumption is that most people have not set up those extra layers that you're talking about. For them, a credential compromise is tantamount to an account compromise. Thus, a post like this is relevant to raise awareness of credential compromise (and sure, maybe a missed opportunity to talk about those other layers one could add).
Is your going-in assumption that most people _are_ using those extra layers and so the post is pointless because it _erroneously_ implies that a lot of folks might be more exposed than they think? That's not what I thought you were saying. I thought you were saying: "if a credential leak compromises your account, then you're doing it wrong". That might be true, but if there are lots of people doing it wrong, then it doesn't matter.
(I don't like your PIN example because in real life, the initial conditions set by the bank are that you know your PIN and you have your card. You have to go out of your way to expose both. By contrast, with the AWS credentials, you have to have taken the extra steps you mention to establish the extra layers that you're talking about (IP range restrictions, time gating, etc.))
I don't follow your argument.
Perhaps let me try with simpler example.
I'll tell you my credit card PIN number is 7341.
Following your line of argument, you'll stand there screaming until you're blue in the face: "that's a secret credential leak, your card is compromised".
To which I say: "well, my card is in my wallet, and my wallet is in my pocket, so watcha' gonna' do with that PIN number chum ?"
So its the same with AWS.
I could tell you one of my access keys is AKIA3CWKZKKGZLHN and its secret access key is QOF0yG/lvqqAcklAHCDzPKRtk9D5oPnY.
But watcha gonna do with it ? Try logging in ? To what ? And even if you knew which AWS service, even with just low-hanging fruit security layers of IP range restrictions and time-gating you still won't get anywhere. Once we start adding extra layers such as roles and STS on top, then frankly you're more likely to win the jackpot on the lotto twice in a row.
If its not usable, its not compromise.