generic.secrets.security.detected-aws-account-id.detected-aws-account-id
Community Favorite
returntocorpAuthor
37,965
Download Count*
License
AWS Account ID detected. This is a sensitive credential and should not be hardcoded here. Instead, read the value from an environment variable or keep the value in a separate, private file.
Run Locally
Run in CI
Defintion
rules:
- id: detected-aws-account-id
patterns:
- pattern-either:
- pattern: |
$ACCOUNT_ID = $SECRET
- pattern: |
$ACCOUNT_ID : $SECRET
- pattern: |
$ACCOUNT_ID => $SECRET
- pattern: |
$ACCOUNT_ID = "$SECRET"
- pattern: |
$ACCOUNT_ID : "$SECRET"
- pattern: |
$ACCOUNT_ID => "$SECRET"
- pattern: |
"$ACCOUNT_ID" = "$SECRET"
- pattern: |
"$ACCOUNT_ID" : "$SECRET"
- pattern: |
"$ACCOUNT_ID" => "$SECRET"
- metavariable-analysis:
metavariable: $SECRET
analyzer: entropy
- metavariable-regex:
metavariable: $SECRET
regex: ^((?!(12345|0000).*)[0-9]{12})$
- metavariable-regex:
metavariable: $ACCOUNT_ID
regex: (AWS|aws|Aws)?_?(ACCOUNT|account|Account)_?(ID|id|Id)?("|')?
languages:
- generic
message: AWS Account ID detected. This is a sensitive credential and should not
be hardcoded here. Instead, read the value from an environment variable or
keep the value in a separate, private file.
severity: ERROR
metadata:
cwe:
- "CWE-798: Use of Hard-coded Credentials"
source-rule-url: https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go
category: security
technology:
- secrets
- aws
confidence: LOW
owasp:
- A07:2021 - Identification and Authentication Failures
references:
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
Examples
detected-aws-account-id.txt
# ruleid: detected-aws-account-id
aws_account_id = 287139315271
# ruleid: detected-aws-account-id
aws_account_id:287139315271
{
"version": "0",
"id": "a76750eb-b69f-ae47-b183-4d3cb0700618",
"detail-type": "AWS API Call via CloudTrail",
"source": "aws.s3",
# ruleid: detected-aws-account-id
"account": "287139315271",
"time": "2018-05-22T12:44:24Z",
"region": "us-east-1",
"resources": [],
"detail": {
"eventVersion": "1.05",
"userIdentity": {},
"eventTime": "2018-05-22T12:44:24Z",
"eventSource": "s3.amazonaws.com",
"eventName": "DeleteBucket",
"awsRegion": "us-east-1",
"sourceIPAddress": "209.6.231.175",
"userAgent": "[S3Console/0.4, aws-internal/3]",
"requestParameters": {},
"responseElements": null,
"additionalEventData": {
"vpcEndpointId": "vpce-6d72a204"
},
"requestID": "51A7870C114C931C",
"eventID": "d687e2af-5a29-4acb-bc41-6892b36420bf",
"eventType": "AwsApiCall",
"vpcEndpointId": "vpce-6d72a204"
}
}
Mappings:
ElbService:
# https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#access-logging-bucket-permissions
us-east-1:
# ruleid: detected-aws-account-id
AccountId: "287139315271"
# ruleid: detected-aws-account-id
aws_account_id = "287139315271"
aws s3api put-bucket-inventory-configuration \
--bucket my-bucket \
--id 2 \
# ruleid: detected-aws-account-id
--inventory-configuration '{"Destination": { "S3BucketDestination": { "AccountId": "287139315271", "Bucket": "arn:aws:s3:::my-bucket", "Format": "CSV" }}, "IsEnabled": true, "Id": "2", "IncludedObjectVersions": "Current", "Schedule": { "Frequency": "Daily" }}'
# ok: detected-aws-account-id
aws_account_id_fake:123456789012123
Short Link: https://sg.run/Ro22