There is no excuse to ever have AWS secret keys anywhere in your code or your settings.
If you are running locally, you should be using your own secret keys that are configured in your user directory with
aws configure
If you are running on anything within AWS you should be using a role attached to your EC2 instance or lambda and the SDK can retrieve your keys automatically.
Unfortunately, every single third party code sample on the internet has you including the secret keys in your code.
An employee of mine once committed a keypair for our company GSuite, clearly labeled, in a Python script. I asked her to remove it from the repo, and she simply pushed a new version of the file with the keypair gone. Plus, she hadn’t configured .gitignore, so all the binaries were there too.
If you are running locally, you should be using your own secret keys that are configured in your user directory with
If you are running on anything within AWS you should be using a role attached to your EC2 instance or lambda and the SDK can retrieve your keys automatically.Unfortunately, every single third party code sample on the internet has you including the secret keys in your code.