Need

Protection of confidential information through encryption

Context

• Usage of Terraform for Infrastructure as Code (IaC)
• Usage of AWS SDK for interacting with Amazon Web Services (AWS) services

Description

Non compliant code

        provider "aws" {
  access_key = "AKIAIOSFODNN7EXAMPLE"
  secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
  region     = "us-west-2"
}
        
        

The above code is a typical example of a Terraform script that is used to manage AWS infrastructure. The access_key and secret_key are confidential information that is used to authenticate to AWS.

However, the confidential information (access_key and secret_key) is encoded in hexadecimal. This means that anyone who has access to the script can easily decode the hexadecimal values to plain text, thereby gaining unauthorized access to the AWS infrastructure.

This is a serious security vulnerability because it exposes the AWS infrastructure to potential attacks. An attacker can use the decoded access_key and secret_key to gain full control over the AWS infrastructure, which can lead to data loss, data theft, infrastructure disruption, and other serious consequences.

In addition, the use of hardcoded credentials in the script violates the principle of least privilege and the best practices for secure coding. It is recommended to use a secure method to store and retrieve confidential information, such as using AWS Secrets Manager or environment variables.

Steps

• Replace the access_key and secret_key values with secure and encrypted credentials.
• Use a secure method to store and retrieve the encrypted credentials.
• Ensure that the encryption method used is strong and follows best practices.
• Regularly rotate the access_key and secret_key to minimize the risk of unauthorized access.
• Monitor and log any access to the credentials to detect any suspicious activity.

Compliant code

        provider "aws" {
  access_key = var.access_key
  secret_key = var.secret_key
  region     = "us-west-2"
}

variable "access_key" {
  description = "AWS Access Key"
  type        = string
}

variable "secret_key" {
  description = "AWS Secret Key"
  type        = string
}
        
        

The original code had the AWS access_key and secret_key hardcoded into the Terraform provider configuration. This is a security vulnerability as anyone with access to the codebase could potentially gain unauthorized access to the AWS account.

The updated code removes the hardcoded AWS credentials and instead uses Terraform variables ( var.access_key and var.secret_key). These variables should be securely stored and retrieved from a secure location, such as AWS Secrets Manager, HashiCorp Vault, or environment variables.

The access_key and secret_key should be encrypted using a strong encryption method and should be regularly rotated to minimize the risk of unauthorized access. Any access to these credentials should be monitored and logged to detect any suspicious activity.

This approach ensures that the AWS credentials are not exposed in the codebase, enhancing the security of the AWS account.

References

• 378. Non-encrypted confidential information - Hexadecimal