I have done AWS cloud practitioner and know basic web security and have been doing ctf recently , I would love to enroll in this Cloud Security course 🤩
Pls create a full course on it. It will really help us understand cloud security in more detail and how can we help our org to avoid prevent attack like this thanks
All your points fair, lots of things were done wrong but i feel like the devs droped the ball by having credentials in cleartext in their gitlab. Maybe they had no other way but have keys in there, but why admin? 😢 Its easy and it works but very dangerous
Yup! A really good point. Another reason why roles are preferred over access keys, you don't have to worry about storing them at all (though not always possible)
There is always another way, the using free tier of Hashicorp Vault would have fixed this issue... upgrading GitLab would have fixed this issue, creating an access key with all of the permissions is easy, but bad practice. Bottom line, laziness prevails. We need to kick that bad habit.