Question Why in plesk firehouse Aws keys are public ?

[saadifastian]

Server operating system version

Cloud Linux

Plesk version and microupdate number

Plesk Onyx Version 17.8.11

https://mypleskserver.com/error_docs/uat.js?v1

{
"stream": "plesk-17.0-ux",
"region": "us-west-2",
"accessKeyId": "BajksdjasdiuahoOHUEUNN",
"secretAccessKey": "p+asd;kmIOJIdmdm435;mdaisd49dkmpamd",
"endpoint": "firehose.us-west-2.amazonaws.com",
"httpOptions": {
"connectTimeout": 1000,
"timeout": 1000
}
}

 

[Peter Debik]

There has been an internal discussion in the past about this topic. Plesk is aware of it, but the specific usage case of these visible keys is no security threat. If you would like to discuss your concerns in detail, please open a ticket with Plesk support for specificially your case.

 

[TCI]

Hi, But WHY is there credentials to AWS. Some ' security researchers' send us a report that we expose this kind of information. So by default we don't want this information in there.
So in short:
- is there documentation why this AWS connection is needed (or can we block this server to go to aws in the firewall)
- if needed can it be placed outside the login.php to avoid reports from ' security researcher/bounty hunters'

 

[TCI]

One follow up from the above
We mitigated the ' security researches/others' with deny access via Customizing Plesk URL
and changed the setting to No custom URLs. Only https://<server-IP-or-hostname>:8443 and give customers vpn