AWS access keys and secrets are hard coded in infrastructure
Description
When accessing AWS programmatically users can select to use an access key to verify their identity, and the identity of their applications. An access key consists of an access key ID and a secret access key. Anyone with an access key has the same level of access to AWS resources. We recommend you protect access keys and keep them private. Specifically, do not store hard coded keys and secrets in infrastructure such as code, or other version-controlled configuration settings.
Code Example
text
provider "aws" {
region = var.region
- access_key = "NOTEXACTLYAKEY"
- secret_key = "NOTACTUALLYASECRET"
}Remediation
Terraform
You really should not add your secrets to your Infrastructure code, obtain AWS through the keychain e.g. via Environmental variables. Remove any reference to access_key and secret_key.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0095 |
| Severity | HIGH |
| IaC Type | Terraform |
| Frameworks | Terraform, Serverless, TerraformPlan |
| Checkov ID | CKV_AWS_41 |