Non-encrypted confidential information - AWS - Python

Non-encrypted confidential information - AWS - Python

Need

Secure storage of AWS credentials

Context

  • Usage of Python 3 for writing and executing Python code
  • Usage of boto3 for interacting with Amazon Web Services (AWS) in Python

Description

Non compliant code

        import boto3

# AWS credentials
aws_access_key_id = 'AKIAIOSFODNN7EXAMPLE'
aws_secret_access_key = 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY'

# Create a session using your AWS credentials
session = boto3.Session(
    aws_access_key_id=aws_access_key_id,
    aws_secret_access_key=aws_secret_access_key,
)

# Create an S3 client
s3 = session.client('s3')
        
        

In the above Python code, the AWS credentials are stored in plain text within the source code. This is a serious security vulnerability as anyone who has access to the source code will have access to your AWS credentials.

The aws_access_key_id and aws_secret_access_key are your AWS credentials which are needed to access and make requests to AWS services. They are stored in the variables aws_access_key_id and aws_secret_access_key respectively.

A session is then created using these AWS credentials using the boto3.Session method. This session can be used to make requests to AWS services.

Finally, an S3 client is created using the session.client method. This client can be used to interact with the Amazon S3 service.

The main vulnerability here is that the AWS credentials are stored in plain text in the source code. If an attacker were to gain access to the source code, they would also gain access to the AWS credentials, which could lead to unauthorized access to your AWS resources.

Steps

  • Remove the hard-coded AWS credentials from the source code.
  • Use AWS Identity and Access Management (IAM) to create a role with the necessary permissions.
  • Attach the IAM role to the EC2 instance running the application.
  • Use the AWS SDK's default credential provider chain to automatically use the EC2 instance's role credentials.

Compliant code

        import boto3

# Create a session without hard-coded AWS credentials
session = boto3.Session()

# Create an S3 client
s3 = session.client('s3')
        
        

The updated code removes the hard-coded AWS credentials from the source code. Instead of explicitly providing the AWS access key ID and secret access key, the code now relies on the AWS SDK's default credential provider chain.

When your application runs on an Amazon EC2 instance that is associated with an AWS Identity and Access Management (IAM) role, the SDK checks for the presence of associated IAM role credentials. If these credentials are found, the SDK uses them automatically, eliminating the need to hard-code them into your source code.

To use this updated code, you need to:

1. Create an IAM role with the necessary permissions to access the required AWS resources (like S3 in this case). 2. Attach the IAM role to the EC2 instance running your application. 3. Ensure that your application is configured to use the default credential provider chain.

By following these steps, you can avoid exposing your AWS credentials in your source code, reducing the risk of them being compromised.

References