[markuman123]

AWS_PROFILE=broken aws s3 ls s3://deltars/simple/

14kb in your bucket and you pay for outgoing traffic. means, while you're sleeping, I can ruin your aws bill.

In any case, committing credentials is always wrong and you cannot justify it.

Depending on your ci tool (e.g. gitlab-runner, drone-ci ... ) there are other and better ways to provide credentials for a git project in CI/CD pipeline.

[tylermenezes]

You can run up charges by requesting files in any number of public buckets without the AWS keys. The AWS keys don't change the threat model in this situation.

[markuman123]

that's the reason why should always use aws:kms encryption on s3.

[QuinnyPig]

Wait what? This conflates two entirely unrelated things.

[markuman123]

Nope, because you just get a 404, even on public buckets, because you have no access to the kms key.

[naikrovek]

I know from your absolute conviction on this (coupled with LOTS of experience with people who have absolute conviction about stuff) that your own conviction is preventing you from seeing valid uses for this, and is potentially keeping you from seeing the 100% of the landscape you're professing about.

[markuman123]

Sorry, I cannot follow.

To be clear, I'm no aws advocate.

[tylermenezes]

You know that AWS is frequently used as (and has an entire product for use as) a CDN, right?

[markuman123]

using s3 as a cdn is a complete different thing than leaking intentionally credentials.

[tylermenezes]

He "leaked" credentials which only allow reading, which makes it effectively the same thing as a CDN, except that instead of needing a URL, you need a tuple of URL and access token.

[twodollars]

Always wrong? No justification? This seems like a good justification to me. Is there any difference between running up the outbound traffic bill using the key vs accessing web assets anonymously? OP has a budget alert set.

[markuman123]

but the budget alert is delayed...I bet you're ruined when you've noticed the alert.