Non-encrypted confidential information - AWS
Need
Secure storage of AWS credentials
Context
- Usage of Terraform for Infrastructure as Code (IaC)
- Usage of aws-sdk for interacting with Amazon Web Services (AWS) services
Description
Non compliant code
provider "aws" {
region = "us-west-2"
access_key = "AKIAIOSFODNN7EXAMPLE"
secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
}
The above Terraform code is used to configure the AWS provider. The access_key and secret_key are the AWS credentials which are required to authenticate and authorize the operations performed by the Terraform AWS provider.
The vulnerability lies in the fact that these AWS credentials are stored in plain text within the source code. This is a security risk as anyone who can access this code will also be able to access these credentials. This could potentially lead to unauthorized access to the AWS resources.
Furthermore, if this code is version controlled and pushed to a public repository, these credentials can be exposed to the public. This could lead to serious security breaches including data theft, unauthorized changes to the infrastructure, or incurring unexpected costs.
Steps
- Remove the plain text AWS access key and secret key from the source code.
- Store the AWS access key and secret key in a secure location, such as AWS Secrets Manager or AWS Parameter Store.
- Retrieve the AWS access key and secret key from the secure location at runtime.
- Encrypt the sensitive information before storing or transmitting it.
- Follow the organization's policies and best practices for encryption and secure storage of sensitive information.
Compliant code
provider "aws" {
region = "us-west-2"
access_key = var.access_key
secret_key = var.secret_key
}
The original code contained a vulnerability where AWS credentials were stored in plain text within the source code. This is a serious security risk as it exposes sensitive information that could be exploited by malicious actors.
The updated code removes the plain text AWS access key and secret key from the source code. Instead, it retrieves these values from Terraform variables var.access_key and var.secret_key. These variables should be securely stored and retrieved from a secure location such as AWS Secrets Manager or AWS Parameter Store.
The AWS access key and secret key are sensitive information that should be encrypted according to the organization's policies and best practices for encryption and secure storage. They should be retrieved from the secure location at runtime, ensuring that they are not exposed in the source code or any other insecure location.
This change ensures that the AWS credentials are securely managed and reduces the risk of them being exposed and potentially exploited.