DataSync Location Object Storage exposes secrets
Description
The policy inspects for any instances where DataSync Location object storage might be revealing secrets. Secrets in this context refer to sensitive information like passwords, API keys, and other such private data. If such secrets are exposed, it means unauthorized individuals could potentially access and manipulate targeted data. The exposure of secrets can lead to serious security risks, including data breaches, unauthorized changes, or even potential system shutdowns. Therefore, ensuring this policy is complied with helps maintain the security and integrity of data.
Code Example
resource "aws_datasync_location_object_storage" "pass" {
agent_arns = [aws_datasync_agent.example.arn]
server_hostname = "example"
bucket_name = "example"
- secret_key = "OWTHATSBLOWNIT"
}Remediation
Terraform
- Resource: aws_datasync_location_object_storage
- Arguments: secret_key
To fix this issue, you should never hard code secrets in your Terraform files. Instead, you should store your secrets in a secure secrets manager and reference them in your Terraform files.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0343 |
| Severity | HIGH |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_295 |