# Securing the Cloud: From S3 Credentials to RDS Database Access I recently went on a bit of adventure with an application used for `webinar` and `1:1 meetings`. It's a start-up based in Bangalore, and guess what? It ended with me accessing the RDS database! Let me take you through how it all happened. **Discovering the Problem** Everything began when I was messing around with an API used for uploading files. While I was looking at how files got uploaded, I noticed something odd. There were `S3 credentials` in the API response. These credentials are used to upload customer files to a particular `s3 bucket` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1713462994986/0350ab46-ddee-417d-816d-e566171ee222.png align="center") **Digging Deeper** Using these keys, I decided to see what was in the storage. And wow, there were two big areas I got into. One was keeping recorded videos of users `webinar` , and the other had a bucket with `secret-keys-staging` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1713463644386/f24666b6-6e36-47db-b71b-18a5f8d6e6d7.png align="center") One of the first things I did was list the contents of the bucket, where I discovered a very interesting file named `secrets.json`. Inside this file were critical details: ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1713464941213/e8333749-9e15-4a2a-b5f2-a341639c9a71.png align="center") The **PostgreSQL** database's `username` , `password` , `host` and `port` . Finding such sensitive information was a massive red flag and a clear indicator of severe security oversight. Interestingly, the `secrets.json` file also stored the **SendGrid API** key. If you're not familiar, SendGrid is a popular service used for sending emails, so having its API key is like having the key to the email kingdom! I decided to check out its scope, and it had more permissions than it should have. This would allow unauthorized actions on user's emails and profiles like creating, reading, updating, and even deleting! The privileges were as follows: * `user.email.create` * `user.email.read` * `user.email.update` * `user.email.delete` * `user.profile.create` * `user.profile.read` * `user.profile.update` With these database access credentials in hand, my next step was to interact directly with the database. To do this, I installed the PostgreSQL client on my machine. This tool, often called `psql`, is a command-line interface that lets you execute queries, manage data, and interact with the database server more efficiently than many graphical interfaces. Once `psql` was set up, I was able to connect to the database using the credentials I found. ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1713465387808/937bf163-0719-4c60-910e-c3fb13526abf.png align="center") Once I got into the database, I could see everything. This capability to directly access and potentially manipulate the database was alarming, as it could lead to unauthorized data access, data tampering, and a host of other security breaches. ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1713465544038/6b5991fb-0857-416b-9a47-68d985c5ef6c.png align="center") As a final step, I decided to explore the actual data to understand the severity of the exposure further. I executed the command `SELECT * FROM user_user;` With that command, I was able to see all the user data from the `user_user` table. I had all the users' data right in front of me. This is the sort of data that should be highly guarded and never be this easily accessible. ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1713466768353/85378dc0-16ce-4322-8300-d1f82ffa0c94.png align="center") After discovering the security vulnerability, I promptly reported my findings to the company's **Chief Technology Officer (CTO)** and discussed them over a call. The CTO was genuinely impressed with the depth of the findings. In recognition of my contribution to strengthening the company's security measures, I was immediately rewarded with **$250**. It's worth noting that as a startup in its early stages, they were new to the concept of bug bounties.