Comment by epistasis
8 hours ago
Aws credentials are short lived precisely so that leaking them has a time limited blast radius.
Automatic retrieval, instead of keeping them on disk, is what makes short lived credentials possible.
8 hours ago
Aws credentials are short lived precisely so that leaking them has a time limited blast radius.
Automatic retrieval, instead of keeping them on disk, is what makes short lived credentials possible.
I'm not convinced that time-limiting the blast radius matters. It just means that malicious use of the credentials has to be automated, and that's a pretty damn low bar.