Skip to content

AWS access keys and secrets are hard coded in infrastructure

Description

When accessing AWS programmatically users can select to use an access key to verify their identity, and the identity of their applications. An access key consists of an access key ID and a secret access key. Anyone with an access key has the same level of access to AWS resources.

We recommend you protect access keys and keep them private. Specifically, do not store hard coded keys and secrets in infrastructure such as code, or other version-controlled configuration settings.

Fix - Buildtime

Terraform

You really should not add your secrets to your Infrastructure code, obtain AWS through the keychain e.g. via Environmental variables.
Remove any reference to access_key and secret_key.

text provider.aws.tf provider "aws" { region = var.region - access_key = "NOTEXACTLYAKEY" - secret_key = "NOTACTUALLYASECRET" }