10 comments

  • sashokbg 11 days ago

    You have to be completely nuts to put your secret keys in a site on the web.

    • iKlsR 11 days ago

      I thought the same then I thought that maybe they should show instructions to create a user that only has the bare needed access. After you run, you revoke. I could see myself using something akin to this when tearing down old stuff.

      • nthacker 11 days ago

        From the FAQs

        Q: Do you store the keys? A: No, each Nuke is an ephemeral sandboxed process and we don't store any keys.

        • kevsim 11 days ago

          Not sure that's gonna be enough assurance, my friend

      • SSmiley 11 days ago

        Here is the CLI you can run yourself https://github.com/gruntwork-io/cloud-nuke

      • dukha 11 days ago

        Open source CLI to do the same for free without passing AWS keys to third-party: https://github.com/rebuy-de/aws-nuke

      • nthacker 11 days ago

        I launched Cloud Nuke to make it easy to safely delete AWS resources in 3 clicks!

        I've found that deleting idle & underutilized cloud resources is the quickest win to reduce spending on cloud bills. Additionally the workflow of deleting cloud resources often exist in Engineering teams but it is not well thought out and a single member scrambles to determine what needs to be deleted.

        Building on clouds is getting easier, and conversely harder to delete since resources often depend on each other.

        • iKlsR 11 days ago

          I don't think anyone is going to just throw keys in this willy nilly. Perhaps put up some instructions on how to make a one off user with the bare needed access that can be revoked after or something. Still a stretch tho.

        • robertlagrant 11 days ago

          The hard bit is checking that all the dependencies you're about to delete are not used anywhere else.

          • nthacker 11 days ago

            Agree. This is an early version of that pitch :)

        • kevsim 11 days ago

          It's a few years since I've used AWS, but is deleting stuff that hard? I seem to remember it was a matter of deleting a cloud formation stack and maybe cleaning up a few things that you'd explicitly ask to be preserved (usually storage things like S3 buckets and DBs).

          • nthacker 11 days ago

            It's definitely not point-and-click. My thesis (and experience) is that it has gotten harder

            Building & Deploying on clouds has gotten easier, and many dev environments have idle, underutilized resources that are paid for.

          • rathel 11 days ago

            > Q: Do you store my card?

            > A: No payments are proessed directly by Stripe and we don't store your card details

            "Let's eat grandma".

            • nthacker 11 days ago

              I don't follow...?

              • hcazz 11 days ago

                The parent post above is referencing an online meme that pokes fun at a lack of punctuation[0].

                In the Q/A section quoted, the lack of punctuation can be read as:

                > Q: Do you store my card?

                > A: No payments are processed directly by Stripe, and we don't store your card details

                Which implies that Stripe is not processing the payments, with the note that the card details are not stored.

                This could be rewritten as:

                > Q: Do you store my card?

                > A: We do not store your credit card information. Payments are processed directly by Stripe, and we don't store your card details.

                [0] https://i.imgur.com/gbJVPk3.png

                • nthacker 11 days ago

                  gotcha, thanks makes sense now.

                  > Q: Do you store my card?

                  > A: We do not store your credit card information. Payments are processed directly by Stripe, and we don't store your card details.

                  Thats exactly what we mean

                  • nthacker 11 days ago

                    Updated the FAQs. Thanks for pointing this out

            • nthacker 10 days ago

              Thanks for all the feedback HN, I do agree the service is a risky tool so right now I've stubbed it out, effectively disabling its use while I figure out how to address the comments here

              • miked85 11 days ago

                You would have to be crazy to utilize this tool.

                • nthacker 11 days ago

                  I do think deleting cloud resources is a valid use case in many Eng teams and directly co-relates to a lower cloud bill. Engineers are frequently building POC's, test machines or just deploying quickly to have idle/underutilized resources lying around

              • ezekg 10 days ago

                The overuse of emojis kill all of your credibility and make you seem like a child playing with my secret keys.

                • nthacker 10 days ago

                  Ok, thanks for that feedback. It's currently disabled while I figure out next steps

                • boston_sre87 11 days ago

                  kind of terrifying.. wonder how long until a script kiddy finds some access/secret keys in github or somewhere else and kills a company.

                  • arkadiyt 11 days ago

                    They could do the same by using the access keys directly - using this service is strictly better since it would identify the attacker by their Stripe payment method.

                    • boston_sre87 11 days ago

                      Yea, agreed.. they definitely could assuming someone does something stupid and exposes keys with access to everything. But this removes the barrier of needing to have a tiny bit of technical knowledge to do it. I think pastebin post with the cloudnuke url, keys, and a stolen credit card would look pretty appetizing for bored people. I'm not saying this shouldn't exist exactly.. maybe some kind of additional identity verification would make it less scary tho.

                      • wrboyce 11 days ago

                        The same pastebin could exist today by simply providing a script alongside the access keys, I don't see how this paid-for service changes anything aside adding an extra hurdle.

                      • hcazz 11 days ago

                        Relying on a cheap payment online to identify an individual determined to act maliciously likely isn't going to lead anywhere useful.

                        • nthacker 11 days ago

                          Exactly

                        • cddotdotslash 11 days ago

                          It's definitely already happened [1] (5 years ago at that). It usually involves some kind of ransom as well.

                          [1] https://www.infoworld.com/article/2608076/murder-in-the-amaz...