Amazon Web Services Keys ID
ID |
aws_id |
Severity |
low |
Vendor |
Amazon Web Services |
Family |
API Token |
Description
Amazon Web Services (AWS) use access keys for programmatic calls to AWS or for authentication in the AWS command-line interface. An access key is a pair (Access Key ID, Secret Key) where Access Key ID (like AKIAIOSFODNN7EXAMPLE) acts as the username and Secret Key (like wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY) acts as a password.
A user typically have at most two AWS access keys, which should be stored in a safe place.
The Session Token is a short term, temporary credential. After expiration, it is no longer valid. They may be used in less secure environments.
Security
Any leakage of the Secret Access Key is critical. The Access Key ID is less sensitive, but it should not be made public.
The Session Token, due to its temporary nature, is less sensitive and expires automatically.
Examples
The following example shows a hardcoded AWS access key (id and secret) in a shell script:
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
The following example shows a Terraform template with hardcoded AWS key:
provider "aws" {
region = var.region
- access_key = "AKIAIOSFODNN7EXAMPLE"
- secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
}
In this case, it is better to use one of the alternatives for managing secrets in Terraform code.
Mitigation / Fix
The Access Key ID should not be publicly exposed, but the risk is low if the paired AWS Secret is not leaked as well.
Do follow the instructions given in AWS Secret Leak Mitigation/Fix section if that were the case.