[cddotdotslash]

This should also be called "how to get your account locked by AWS in 15 minutes or less."

AWS is not fond of finding AWS keys laying around (limited permissions or otherwise). I once committed a key to a GitHub repo and AWS called me within 15 minutes. I've seen cases where they will then lock your account (preventing it from creating new EC2 resources) until the key is deleted.

Seriously, don't do this.

EDIT: as others have mentioned, private repos would be fine (and a good idea).

[theamk]

The whole point is that AWS (nor any other outside party) would not find the keys. The article explicitly mentions:

  On servers in a text file in ~/.aws/credentials (where a lot of tooling saves AWS credentials)
  On your developer laptop in the same locations
  In application or systemd environment variable configuration files
  In files named ’credentials’ or in application configuration files in private, sensitive Github repos

Unless amazon somehow has access to private github repos, they should not see the keys

[jakobdabo]

Recently Github crippled (unfortunately) the Search function so that you can't search something in all the repositories at once (if you try it says that you "Must include at least one user, organization, or repository").

I used to use it to find out how other people use different library functions in the wild and it helped me to find good code examples many times in the past (especially when there were no documentation on the API). I wonder if there is any other code searching service with comparable coverage and quality.

[wahnfrieden]

Works for me: https://github.com/search?q=test&type=Code&utf8=%E2%9C%93 Is this not what you're talking about?

[jakobdabo]

Hmm, your link shows me the same "Must include at least one user, organization, or repository" message that I've mentioned. Maybe they removed the feature only for not logged in users. Can't check it right now as I don't have my Github password on my phone.

[natdempk]

This is the case. I checked this via incognito mode.

[bjoernw]

I think you misunderstood the post. What are you testing when you post your aws honey token to a public repo? This is meant for intrusion detection.

[osi]

I don't think you read the article. They only mention putting them in private places, as a honeypot to alert about an intrusion.

[tobz]

Yeah, putting the keys on Github seems pointless and contrived: there's no remediation to putting a known-bad key out in the open. What are you going to do: block their IP? Oh boy.

I see value in the other examples, though, because they are dead simple tripwires, and, unless AWS is scanning your instances, they should never see this and it shouldn't be a problem.

[jenandre]

The idea is to use private repos on Github, not public ones, which just tell you that yes, someone can read a public repo and misuse a key. Not that your private repos have potentialyl been compromised.