[ihsw]

How were they 0wned? Lack of MFA, rogue API key, or something else? Are full-access accounts being handed out willy-nilly instead of IAM accounts?

AWS Multi-Factor Authentication (MFA):

http://aws.amazon.com/iam/details/mfa/

AWS Identity Access and Management (IAM):

http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPract...

Managing your AWS API Keys:

http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSG...

Go a step further with your AWS API keys and use AWS' API access logging (CloudTrail):

http://aws.amazon.com/cloudtrail/

Don't get burned. Check your stuff out.

[nzadrozny]

Hey all, Bonsai cofounder here.

It was an old API access key that got leaked, not our account credentials. We're still investigating how and where the key got leaked, but bottom line, it should have been revoked ages ago.

2FA is great, but it doesn't cover API keys. Rotate your API keys!

[toomuchtodo]

At this point, MFA for master AWS accounts should be mandatory.

[earless1]

MFA for all console accounts is the only right answer. If machines require credentials to do specific task or perform API calls then roles should be used.

[toomuchtodo]

> If machines require credentials to do specific task or perform API calls then roles should be used.

Even then, if the data must be considered highly valuable/immutable, then versioning/delete protection should be enabled for the S3 bucket(s) in questions. This requires the MFA token to be in the API call for the delete to succeed.