In AWS, Long-term access keys will be valid until you manually revoke them. This makes them highly sensitive as any exposure can have serious consequences and should be used with care.


== Ask Yourself Whether

* The access key is used directly in an application or AWS CLI script running on an Amazon EC2 instance.
* Cross-account access is needed.
* The access keys need to be embedded within a mobile application.
* Existing identity providers (SAML 2.0, on-premises identity store) already exists.

For more information, see https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html#use-roles[Use IAM roles instead of Long-term access keys].

There is a risk if you answered yes to any of those questions.


== Recommended Secure Coding Practices

Consider using IAM roles or other features of the AWS Security Token Service that provide temporary credentials, limiting the risks.


== Sensitive Code Example

----
import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.BasicAWSCredentials;
// ...

AWSCredentials awsCredentials = new BasicAWSCredentials(accessKeyId, secretAccessKey);
----


== Compliant Solution

Example for AWS STS (see https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/prog-services-sts.html[Getting Temporary Credentials with AWS STS]).

----
BasicSessionCredentials sessionCredentials = new BasicSessionCredentials(
   session_creds.getAccessKeyId(),
   session_creds.getSecretAccessKey(),
   session_creds.getSessionToken());
----

== See

* https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html[Best practices for managing AWS access keys]
* https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html[Managing access keys for IAM users]



ifdef::env-github,rspecator-view[]
== Comments And Links
(visible only on this page)

include::comments-and-links.adoc[]
endif::env-github,rspecator-view[]