rspec/rules/S6263/java/rule.adoc

In AWS, long-term access keys will be valid until you manually revoke them. This makes them highly sensitive as any exposure can have serious consequences and should be used with care.

This rule will trigger when encountering an instantiation of `com.amazonaws.auth.BasicAWSCredentials`.

== Ask Yourself Whether

* The access key is used directly in an application or AWS CLI script running on an Amazon EC2 instance.
* Cross-account access is needed.
* The access keys need to be embedded within a mobile application.
* Existing identity providers (SAML 2.0, on-premises identity store) already exists.

For more information, see https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html#use-roles[Use IAM roles instead of long-term access keys].

There is a risk if you answered yes to any of those questions.


== Recommended Secure Coding Practices

Consider using IAM roles or other features of the AWS Security Token Service that provide temporary credentials, limiting the risks.


== Sensitive Code Example

----
import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.BasicAWSCredentials;
// ...

AWSCredentials awsCredentials = new BasicAWSCredentials(accessKeyId, secretAccessKey);
----


== Compliant Solution

Example for AWS STS (see https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/prog-services-sts.html[Getting Temporary Credentials with AWS STS]).

[source,java]
----
BasicSessionCredentials sessionCredentials = new BasicSessionCredentials(
   session_creds.getAccessKeyId(),
   session_creds.getSecretAccessKey(),
   session_creds.getSessionToken());
----

== See

* https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html[Best practices for managing AWS access keys]
* https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html[Managing access keys for IAM users]


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Make sure using a long-term access key is safe here.


=== Highlighting

Call to "BasicAWSCredentials".


'''
== Comments And Links
(visible only on this page)

=== on 27 May 2021, 14:23:11 Janos Gyerik wrote:
I think a related idea is that instead of passing secrets to a cloud application directly in configuration or environment names, it's better to pass the _name or the ARN of secrets_, which the application can use to fetch the actual secrets from the Secrets Manager service.

endif::env-github,rspecator-view[]
Modify rule S6263: Add info about scope of rule and correct upper-case tag to be lower-case. (#1078) * Add info about the scope of the rule and correct the upper-case tag to be lower-case. * Improve grammar and spelling 2022-06-28 16:58:48 +02:00			`In AWS, long-term access keys will be valid until you manually revoke them. This makes them highly sensitive as any exposure can have serious consequences and should be used with care.`
Nightly update 2021-05-09 01:17:04 +00:00
Modify rule S6263: Add info about scope of rule and correct upper-case tag to be lower-case. (#1078) * Add info about the scope of the rule and correct the upper-case tag to be lower-case. * Improve grammar and spelling 2022-06-28 16:58:48 +02:00			This rule will trigger when encountering an instantiation of `com.amazonaws.auth.BasicAWSCredentials`.
Nightly update 2021-05-09 01:17:04 +00:00
			`== Ask Yourself Whether`

Nightly update 2021-05-11 01:20:07 +00:00			`* The access key is used directly in an application or AWS CLI script running on an Amazon EC2 instance.`
			`* Cross-account access is needed.`
			`* The access keys need to be embedded within a mobile application.`
			`* Existing identity providers (SAML 2.0, on-premises identity store) already exists.`

Modify rule S6263: Add info about scope of rule and correct upper-case tag to be lower-case. (#1078) * Add info about the scope of the rule and correct the upper-case tag to be lower-case. * Improve grammar and spelling 2022-06-28 16:58:48 +02:00			`For more information, see https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html#use-roles[Use IAM roles instead of long-term access keys].`
Nightly update 2021-05-09 01:17:04 +00:00
			`There is a risk if you answered yes to any of those questions.`


			`== Recommended Secure Coding Practices`

Nightly update 2021-05-11 01:20:07 +00:00			`Consider using IAM roles or other features of the AWS Security Token Service that provide temporary credentials, limiting the risks.`
Nightly update 2021-05-09 01:17:04 +00:00

			`== Sensitive Code Example`

			`----`
			`import com.amazonaws.auth.AWSCredentials;`
			`import com.amazonaws.auth.BasicAWSCredentials;`
			`// ...`

			`AWSCredentials awsCredentials = new BasicAWSCredentials(accessKeyId, secretAccessKey);`
			`----`

Nightly update 2021-05-11 01:20:07 +00:00
			`== Compliant Solution`

			`Example for AWS STS (see https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/prog-services-sts.html[Getting Temporary Credentials with AWS STS]).`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
Nightly update 2021-05-11 01:20:07 +00:00			`----`
			`BasicSessionCredentials sessionCredentials = new BasicSessionCredentials(`
			`session_creds.getAccessKeyId(),`
			`session_creds.getSecretAccessKey(),`
			`session_creds.getSessionToken());`
			`----`

Nightly update 2021-05-09 01:17:04 +00:00			`== See`

			`* https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html[Best practices for managing AWS access keys]`
Nightly update 2021-05-11 01:20:07 +00:00			`* https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html[Managing access keys for IAM users]`
Nightly update 2021-05-09 01:17:04 +00:00

Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Message`

			`Make sure using a long-term access key is safe here.`


			`=== Highlighting`

			`Call to "BasicAWSCredentials".`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00

RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== on 27 May 2021, 14:23:11 Janos Gyerik wrote:`
			`I think a related idea is that instead of passing secrets to a cloud application directly in configuration or environment names, it's better to pass the _name or the ARN of secrets_, which the application can use to fetch the actual secrets from the Secrets Manager service.`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`