terraform.aws.security.aws-provider-static-credentials.aws-provider-static-credentials

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: aws-provider-static-credentials
    patterns:
      - pattern-inside: |
          provider "aws" {
          ...
              secret_key = "$SECRET"
          }
      - focus-metavariable: $SECRET
    message: A hard-coded credential was detected. It is not recommended to store
      credentials in source-code, as this risks secrets being leaked and used by
      either an internal or external malicious adversary. It is recommended to
      use environment variables to securely provide credentials or retrieve
      credentials from a secure vault or HSM (Hardware Security Module).
    languages:
      - hcl
    severity: WARNING
    metadata:
      technology:
        - secrets
        - aws
        - terraform
      category: security
      cwe:
        - "CWE-798: Use of Hard-coded Credentials"
      references:
        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
      owasp:
        - A07:2021 - Identification and Authentication Failures
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Hard-coded Secrets

Examples

aws-provider-static-credentials.tf

provider "aws" {
  region     = "us-west-2"
  access_key = "AKIAEXAMPLEKEY"
  # ruleid: aws-provider-static-credentials
  secret_key = "randomcharactersabcdef"
  profile = "customprofile"
}


provider "aws" {
  region     = "us-west-2"
  # ruleid: aws-provider-static-credentials
  secret_key = "randomcharactersabcdef"
  profile = "customprofile"
  access_key = "AKIAEXAMPLEKEY"
}

# ok: aws-provider-static-credentials
provider "aws" {
  region                  = "us-west-2"
  shared_credentials_file = "/Users/tf_user/.aws/creds"
  profile                 = "customprofile"
}