Terraform: Flag embededded access key and secret key as insecure

[pcgeek86]

Is your feature request related to a problem? Please describe.

Terraform projects generally should not hard-code credentials (AWS IAM Access Key, Secret Key) into the Terraform provider configuration. During my testing, KICS didn't flag this.

• If the provider "aws" block is detected, then ....
• The access_key property should not be present
• The secret_key property should not be present

[kaplanlior]

Thanks Trevor for the report.

Do you want to try and create a query to catch this case?
https://docs.kics.io/latest/creating-queries/

We'll be happy to help if you're up to the challenge (:

[pcgeek86]

I'll have to see what level of effort is required to contribute that query! Just wanted to get it documented for starters. :)

[FooBartn]

I'll have to see what level of effort is required to contribute that query! Just wanted to get it documented for starters. :)

There is a secrets query that would catch this in a different way. It goes off of specific formatting. Your example access key and secret do not look like real ones. Just a note in case that would work for you

[pcgeek86]

Yeah, I know they aren't real access key and secret key. Posting real ones wouldn't have been prudent.

Also keep in mind that you might not necessarily find "real" values hard-coded in these templates. You might also find insecure references to variables, such as var.aws_key_id or var.aws_secret_key. In that scenario, a secrets detector wouldn't be adequate.

The AWS provider for Terraform accepts environment variables as inputs, so you don't need to specify these credential values in the provider block at all.

I wouldn't only consider this a "critical" level issue if someone did indeed hard-code credentials. Specifying variable references could still be a "warning" level or similar, and recommend using environment variables. There's not really a right or wrong way, just suggestions to help developers understand their options.