undefined | Better HN

0 pointsicedchai4y ago0 comments

If it happens again, you can stop a small problem before it becomes a very big one. Also, it is a good practice in general.

0 comments

TrueGeek4y ago

It's still crap though. If they spin up an instance billing $1k a day you'll find out after they've already billed several hundred, if not at least $1k. There needs to be a way to set actually limits, not alerts. You should be able to say "I'm not using this service, the limit should be $0."

Of course, if OP didn't have MFA / let their keys leak this may not have helped anyway if the hacker was able to just remove the limits.

isbvhodnvemrwvn4y ago

> You should be able to say "I'm not using this service, the limit should be $0."

In your organization, add a service control policy which denies access to services you don't use. This will prevent all member accounts from executing actions you don't want, including root users. You can also deny any action on any resource in region other than whatever you expect to use (with some exceptions due to legacy stuff).

TrueGeek4y ago

this is great, thank you!

icedchaiOP4y ago

If they had actual limits, you'd have people complaining about their sites getting shut down because someone broke into their account and spun up a bunch of instances. Or a developer did it accidentally. Alerts are much safer.

j / k navigate · click thread line to collapse

0 comments

TrueGeek4y ago

Of course, if OP didn't have MFA / let their keys leak this may not have helped anyway if the hacker was able to just remove the limits.

isbvhodnvemrwvn4y ago

> You should be able to say "I'm not using this service, the limit should be $0."

TrueGeek4y ago

this is great, thank you!

icedchaiOP4y ago

j / k navigate · click thread line to collapse