Not a "bug" in terms of incorrect code. But if I worked there, I'd sure like to know that
1. There were older versions of apps with config files stored in S3 that contained AWS keypairs for roles with wide open access
2. That such keypairs existed in the first place and were used on servers - probably no service role with such wide access should exist, and even if it did, it ought to be caught by routine audits for overpermissioned roles, and also old keypairs should be retired and rotated regularly
3. That a whole bunch of private key material basically encompassing the keys to the Instagram castle were stored in S3 buckets
1. There were older versions of apps with config files stored in S3 that contained AWS keypairs for roles with wide open access
2. That such keypairs existed in the first place and were used on servers - probably no service role with such wide access should exist, and even if it did, it ought to be caught by routine audits for overpermissioned roles, and also old keypairs should be retired and rotated regularly
3. That a whole bunch of private key material basically encompassing the keys to the Instagram castle were stored in S3 buckets