IBM Cloud Object Storage Key
ID |
ibm_cos_hmac_key |
Severity |
high |
Vendor |
IBM Cloud |
Family |
Access key |
Description
IBM Cloud object storage (COS) is a format for storing unstructured data in the cloud.
For applications to operate with COS, a service credential (known as COS HMAC credential) must be created.
COS HMAC credentials consist of an Access Key and Secret Key paired for use with S3-compatible tools and libraries that require authentication. Such pair (access key, secret key) is created in JSON format.
| COS HMAC keys are supported for compatibility with earlier versions, and new developments are recommended to use IAM. |
Security
If the COS HMAC credentials are leaked, an unauthorized party may access to IBM Cloud Object Storage service, by default to the entire instance if the bucket permissions were not edited.
Examples
{
"apikey": "0viPHOY7LbLNa9eLftrtHPpTjoGv6hbLD1QalRXikliJ",
"cos_hmac_keys": {
"access_key_id": "347aa3a4b34344f8bc7c7cccdf856e4c",
"secret_access_key": "gvurfb82712ad14W7a7915h763a6i87155d30a1234364f61"
},
"endpoints": "https://control.cloud-object-storage.test.cloud.ibm.com/v2/endpoints",
"iam_apikey_description": "Auto generated apikey...",
"iam_apikey_name": "auto-generated-apikey-...",
"iam_role_crn": "...",
"iam_serviceid_crn": "...",
"resource_instance_id": "..."
}
The secret_access_key will be reported as secret. Please note that the apikey field could also be deemed as a secret.
Mitigation / Fix
-
Remove the leaked file from version control.
-
Follow your policy for handling leaked secrets, which typically require deleting the key. The IBM Cloud console, or the API delete key endpoint could be used.
-
Check access logs to ensure that the secret was not used by unintended actors during the compromised period. The Activity Insights service could be used for auditing the activity logs.