https://www.chenk.top/en/tags/iam/Recent content in IAM on Chen Kai BlogHugoenSun, 03 May 2026 09:00:00 +0000https://www.chenk.top/en/aliyun-fullstack/06-ram-security/Sun, 03 May 2026 09:00:00 +0000https://www.chenk.top/en/aliyun-fullstack/06-ram-security/<p>I once found a DashScope API key hardcoded in a public GitHub repo. It was mine. Someone had forked a demo I pushed months earlier, and the key was sitting in a config file I forgot to gitignore. By the time I noticed, the key had been used to generate 14,000 Qwen API calls in a single weekend. The bill was not catastrophic — DashScope per-token pricing is forgiving — but the lesson was. I had treated cloud security as something I would figure out later. &ldquo;Later&rdquo; arrived as a billing alert at 2 AM on a Sunday.</p>https://www.chenk.top/en/cloud-computing/security-privacy/Sun, 07 May 2023 09:00:00 +0000https://www.chenk.top/en/cloud-computing/security-privacy/<p><figure class="article-figure"> <img src="https://blog-pic-ck.oss-cn-beijing.aliyuncs.com/posts/en/cloud-computing/security-privacy/illustration_1.png" alt="Cloud Computing (6): Cloud Security and Privacy Protection — Chapter overview" loading="lazy" decoding="async" class="content-image"> </figure> </p> <p>In 2019 Capital One lost a hundred million customer records. The exploit chain was small: a misconfigured WAF allowed server-side request forgery against the EC2 metadata endpoint, that endpoint handed back IAM credentials, and the IAM role those credentials belonged to had wildcard <code>s3:*</code> on every bucket in the account. One misconfiguration, one over-broad role, one rule the security team had not written. The bill, before legal: more than 80 million dollars.</p>