Terraform: Flag embededded access key and secret key as insecure about kics HOT 4 OPEN

Thanks Trevor for the report.

Do you want to try and create a query to catch this case?
https://docs.kics.io/latest/creating-queries/

We'll be happy to help if you're up to the challenge (:

from kics.

I'll have to see what level of effort is required to contribute that query! Just wanted to get it documented for starters. :)

from kics.

I'll have to see what level of effort is required to contribute that query! Just wanted to get it documented for starters. :)

There is a secrets query that would catch this in a different way. It goes off of specific formatting. Your example access key and secret do not look like real ones. Just a note in case that would work for you

from kics.

Yeah, I know they aren't real access key and secret key. Posting real ones wouldn't have been prudent.

Also keep in mind that you might not necessarily find "real" values hard-coded in these templates. You might also find insecure references to variables, such as var.aws_key_id or var.aws_secret_key. In that scenario, a secrets detector wouldn't be adequate.

The AWS provider for Terraform accepts environment variables as inputs, so you don't need to specify these credential values in the provider block at all.

I wouldn't only consider this a "critical" level issue if someone did indeed hard-code credentials. Specifying variable references could still be a "warning" level or similar, and recommend using environment variables. There's not really a right or wrong way, just suggestions to help developers understand their options.

from kics.