Store config information in the environment, dammit!

love 12factor.net, and so should you! Factor number three says:

III. Config
Store config in the environment

I’ve always thought this just seems like common sense, especially if you’ve ever suffered thru a promotion scheme where you have to modify checked in files in order to push to stage & prod. However, in ‘My $2375 Amazon EC2 Mistake‘, devfactor shows how failing to heed this advice can lead to high stress, and big losses of real money:

Oops.

When I woke up the next morning, I had four emails from Amazon AWS and a missed phone call from Amazon AWS. Something about 140 servers running on my AWS account. What? How? I only had S3 keys on my GitHub and they where gone within 5 minutes!

Turns out through the S3 API you can actually spin up EC2 instances, and my key had been spotted by a bot that continually searches GitHub for API keys. Amazon AWS customer support informed me this happens a lot recently, hackers have created an algorithm that searches GitHub 24 hours per day for API keys. Once it finds one it spins up max instances of EC2 servers to farm itself bitcoins.

Boom! A $2375 bill in the morning. Just for trying to learn rails.

AWS + Git + Bitcoin makes for a dangerous playground. Stay safe!!

UPDATE: according to this article, the moment you commit, it’s too late. Ouch