Business information leak - Credentials
Need
Protection of business credentials to prevent unauthorized access and data breaches
Context
- Usage of Terraform for Infrastructure as Code (IaC)
- Usage of aws-sdk for interacting with Amazon Web Services (AWS) services
Description
Non compliant code
provider "aws" {
access_key = "AKIAIOSFODNN7EXAMPLE"
secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
region = "us-west-2"
}
In the above code, AWS credentials (access_key and secret_key) are hardcoded directly into the Terraform configuration file. This is a serious security vulnerability because anyone who has access to this file can now access your AWS resources.
If this file is stored in a version control system (like Git), then the credentials are also now in the version control history. This means that even if you remove the credentials from the file, anyone who can access old versions of the file can still see the credentials.
This vulnerability can lead to a business information leak if the AWS account is used to store sensitive data. Attackers could use these credentials to gain access to your AWS resources and steal or corrupt your data.
Also, if the AWS account has permissions to modify infrastructure, then attackers could use these credentials to disrupt your services. For example, they could delete EC2 instances, modify security groups, or create new resources that you get billed for.
In addition, because AWS access keys are tied to a specific user, any actions taken with these credentials will appear to come from that user. This could lead to accountability issues if unauthorized actions are taken with these credentials.
Steps
- Remove the hardcoded access key and secret key from the code.
- Store the access key and secret key securely, such as using environment variables or a secrets management service.
- Implement multi-factor authentication for the AWS account.
- Regularly rotate the access key and secret key.
- Implement strong password policies for all accounts.
- Review and update network security and access controls.
- Regularly review and update security policies regarding the use of credentials.
Compliant code
provider "aws" {
region = "us-west-2"
}
The original code contained hardcoded AWS access keys, which is a security vulnerability as it can lead to unauthorized access if the code is exposed. The updated code removes these hardcoded keys.
To securely provide your AWS credentials, you should set them through environment variables. AWS SDKs and the AWS CLI will automatically search for access keys set in the following environment variables:
AWS_ACCESS_KEY_IDAWS_SECRET_ACCESS_KEY
You can set these variables in your shell's profile file (e.g., ~/.bash_profile, ~/.bashrc, ~/.zshrc).
export AWS_ACCESS_KEY_ID=your_access_key
export AWS_SECRET_ACCESS_KEY=your_secret_key
Remember to replace your_access_key and your_secret_key with your actual AWS access key and secret key.
For additional security, consider implementing multi-factor authentication for your AWS account, regularly rotating your access keys, enforcing strong password policies, and regularly reviewing and updating your network security and access controls.
Never expose your AWS access keys in your code or version control system. If you have previously committed code with your keys, make sure to remove them from the history.