100% agree. We always keep all tokens (not just AWS secret keys) in a separate f... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		insane_dreamer on Oct 14, 2022 \| parent \| context \| favorite \| on: Toyota suffered a data breach by accidentally expo... 100% agree. We always keep all tokens (not just AWS secret keys) in a separate file that is never checked into the repo and are passed into the CloudFormation template at deployment. (The error in this case was a new repo hastily pushed and .gitignore wasn't properly updated to exclude the file with the keys.) But we've since switched to using AWS Secrets which is a much better solution.

scarface74 on Oct 14, 2022 [–]

Yeah that’s not good either. Your keys never need to be in a local file. Just put them in Parameter Store/Secrets Manager and you can reference those values in CF.

insane_dreamer on Oct 14, 2022 | [–]

Yeah, that's what we do now

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact