16f6c0aecf
Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in.
76 lines
2.5 KiB
Plaintext
76 lines
2.5 KiB
Plaintext
In AWS, long-term access keys will be valid until you manually revoke them. This makes them highly sensitive as any exposure can have serious consequences and should be used with care.
|
|
|
|
This rule will trigger when encountering an instantiation of `com.amazonaws.auth.BasicAWSCredentials`.
|
|
|
|
== Ask Yourself Whether
|
|
|
|
* The access key is used directly in an application or AWS CLI script running on an Amazon EC2 instance.
|
|
* Cross-account access is needed.
|
|
* The access keys need to be embedded within a mobile application.
|
|
* Existing identity providers (SAML 2.0, on-premises identity store) already exists.
|
|
|
|
For more information, see https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html#use-roles[Use IAM roles instead of long-term access keys].
|
|
|
|
There is a risk if you answered yes to any of those questions.
|
|
|
|
|
|
== Recommended Secure Coding Practices
|
|
|
|
Consider using IAM roles or other features of the AWS Security Token Service that provide temporary credentials, limiting the risks.
|
|
|
|
|
|
== Sensitive Code Example
|
|
|
|
----
|
|
import com.amazonaws.auth.AWSCredentials;
|
|
import com.amazonaws.auth.BasicAWSCredentials;
|
|
// ...
|
|
|
|
AWSCredentials awsCredentials = new BasicAWSCredentials(accessKeyId, secretAccessKey);
|
|
----
|
|
|
|
|
|
== Compliant Solution
|
|
|
|
Example for AWS STS (see https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/prog-services-sts.html[Getting Temporary Credentials with AWS STS]).
|
|
|
|
[source,java]
|
|
----
|
|
BasicSessionCredentials sessionCredentials = new BasicSessionCredentials(
|
|
session_creds.getAccessKeyId(),
|
|
session_creds.getSecretAccessKey(),
|
|
session_creds.getSessionToken());
|
|
----
|
|
|
|
== See
|
|
|
|
* https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html[Best practices for managing AWS access keys]
|
|
* https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html[Managing access keys for IAM users]
|
|
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
Make sure using a long-term access key is safe here.
|
|
|
|
|
|
=== Highlighting
|
|
|
|
Call to "BasicAWSCredentials".
|
|
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
=== on 27 May 2021, 14:23:11 Janos Gyerik wrote:
|
|
I think a related idea is that instead of passing secrets to a cloud application directly in configuration or environment names, it's better to pass the _name or the ARN of secrets_, which the application can use to fetch the actual secrets from the Secrets Manager service.
|
|
|
|
endif::env-github,rspecator-view[]
|