You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
Terraform projects generally should not hard-code credentials (AWS IAM Access Key, Secret Key) into the Terraform provider configuration. During my testing, KICS didn't flag this.
If the provider "aws" block is detected, then ....
The access_key property should not be present
The secret_key property should not be present
The text was updated successfully, but these errors were encountered:
I'll have to see what level of effort is required to contribute that query! Just wanted to get it documented for starters. :)
There is a secrets query that would catch this in a different way. It goes off of specific formatting. Your example access key and secret do not look like real ones. Just a note in case that would work for you
Yeah, I know they aren't real access key and secret key. Posting real ones wouldn't have been prudent.
Also keep in mind that you might not necessarily find "real" values hard-coded in these templates. You might also find insecure references to variables, such as var.aws_key_id or var.aws_secret_key. In that scenario, a secrets detector wouldn't be adequate.
The AWS provider for Terraform accepts environment variables as inputs, so you don't need to specify these credential values in the provider block at all.
I wouldn't only consider this a "critical" level issue if someone did indeed hard-code credentials. Specifying variable references could still be a "warning" level or similar, and recommend using environment variables. There's not really a right or wrong way, just suggestions to help developers understand their options.
Is your feature request related to a problem? Please describe.
Terraform projects generally should not hard-code credentials (AWS IAM Access Key, Secret Key) into the Terraform provider configuration. During my testing, KICS didn't flag this.
access_key
property should not be presentsecret_key
property should not be presentThe text was updated successfully, but these errors were encountered: