AWS S3 key was exposed
Incident Report for Visma Cloud Services
Postmortem

At 8:50 we received word from AWS that our API key was temporarily exposed. This API key only had access to S3 Storage

Coincidently at 10:00 PM a scheduled upgrade was planned to move away from Using the API Keys, but using IAM roles directly with Short-lived tokens.
We completed the upgrade and disabled the API key.

This access was for data files like "Call sheets", "project call sheets", Profile pictures, and "evidence" for costs/worked hours. Where minimal data of the user is exposed. We have no indication data had been downloaded in mass (we would have seen a huge uptick in Data out, and we don't see anything out of place). This is not a proof, but the best indication we can give.

Posted Aug 26, 2024 - 12:01 CEST
Resolved
At 8:50 we received word from AWS that our API key was temporarily exposed. This API key only had access to S3 Storage
Posted Aug 23, 2024 - 08:30 CEST
Current Status Powered by Atlassian Statuspage
Copyright © Visma Software International AS