generic.secrets.security.detected-aws-account-id.detected-aws-account-id
Community Favorite
semgrepAuthor
37,965
Download Count*
License
AWS Account ID detected. While not considered sensitive information, it is important to use them and share them carefully. For that reason it would be preferrable avoiding to hardcoded it here. Instead, read the value from an environment variable or keep the value in a separate, private file.
Run Locally
Run in CI
Defintion
rules:
- id: detected-aws-account-id
patterns:
- pattern-either:
- pattern: |
$ACCOUNT_ID = $SECRET
- pattern: |
$ACCOUNT_ID : $SECRET
- pattern: |
$ACCOUNT_ID => $SECRET
- pattern: |
$ACCOUNT_ID = "$SECRET"
- pattern: |
$ACCOUNT_ID : "$SECRET"
- pattern: |
$ACCOUNT_ID => "$SECRET"
- pattern: |
"$ACCOUNT_ID" = "$SECRET"
- pattern: |
"$ACCOUNT_ID" : "$SECRET"
- pattern: |
"$ACCOUNT_ID" => "$SECRET"
- metavariable-analysis:
metavariable: $SECRET
analyzer: entropy
- metavariable-regex:
metavariable: $SECRET
regex: ^((?!(12345|0000).*)[0-9]{12})$
- metavariable-regex:
metavariable: $ACCOUNT_ID
regex: (AWS|aws|Aws)?_?(ACCOUNT|account|Account)_?(ID|id|Id)?("|')?
languages:
- generic
message: AWS Account ID detected. While not considered sensitive information, it
is important to use them and share them carefully. For that reason it
would be preferrable avoiding to hardcoded it here. Instead, read the
value from an environment variable or keep the value in a separate,
private file.
severity: ERROR
metadata:
cwe:
- "CWE-798: Use of Hard-coded Credentials"
source-rule-url: https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go
category: security
technology:
- secrets
- aws
confidence: LOW
owasp:
- A07:2021 - Identification and Authentication Failures
references:
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Hard-coded Secrets
Examples
detected-aws-account-id.txt
# ruleid: detected-aws-account-id
aws_account_id = 287139315271
# ruleid: detected-aws-account-id
aws_account_id:287139315271
{
"version": "0",
"id": "a76750eb-b69f-ae47-b183-4d3cb0700618",
"detail-type": "AWS API Call via CloudTrail",
"source": "aws.s3",
# ruleid: detected-aws-account-id
"account": "287139315271",
"time": "2018-05-22T12:44:24Z",
"region": "us-east-1",
"resources": [],
"detail": {
"eventVersion": "1.05",
"userIdentity": {},
"eventTime": "2018-05-22T12:44:24Z",
"eventSource": "s3.amazonaws.com",
"eventName": "DeleteBucket",
"awsRegion": "us-east-1",
"sourceIPAddress": "209.6.231.175",
"userAgent": "[S3Console/0.4, aws-internal/3]",
"requestParameters": {},
"responseElements": null,
"additionalEventData": {
"vpcEndpointId": "vpce-6d72a204"
},
"requestID": "51A7870C114C931C",
"eventID": "d687e2af-5a29-4acb-bc41-6892b36420bf",
"eventType": "AwsApiCall",
"vpcEndpointId": "vpce-6d72a204"
}
}
Mappings:
ElbService:
# https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#access-logging-bucket-permissions
us-east-1:
# ruleid: detected-aws-account-id
AccountId: "287139315271"
# ruleid: detected-aws-account-id
aws_account_id = "287139315271"
aws s3api put-bucket-inventory-configuration \
--bucket my-bucket \
--id 2 \
# ruleid: detected-aws-account-id
--inventory-configuration '{"Destination": { "S3BucketDestination": { "AccountId": "287139315271", "Bucket": "arn:aws:s3:::my-bucket", "Format": "CSV" }}, "IsEnabled": true, "Id": "2", "IncludedObjectVersions": "Current", "Schedule": { "Frequency": "Daily" }}'
# ok: detected-aws-account-id
aws_account_id_fake:123456789012123
Short Link: https://sg.run/Ro22