保護DataHogo
Security Encyclopedia/Cloud Provider Security
criticalCWE-798OWASP A02:2021

AWS Credentials Hardcoded

AWS access keys (starting with AKIA) or secret access keys are hardcoded in your source code, giving anyone who reads the code full access to your AWS account.

How It Works

AWS access keys are essentially a username (AKIA...) and password pair with API-level access to your cloud account. Hardcode them in source and commit to GitHub, and automated scanners like GitGuardian find them within seconds. Attackers then use them to spin up crypto-mining EC2 instances, exfiltrate S3 data, or rack up AWS bills. AWS has automated detection but it's not instant — breaches happen in the gap.

Vulnerable Code
// BAD: AWS credentials hardcoded in source
const s3 = new S3Client({
  region: 'us-east-1',
  credentials: {
    accessKeyId: 'AKIAIOSFODNN7EXAMPLE',      // hardcoded — NEVER do this
    secretAccessKey: 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY'
  }
});
Secure Code
// GOOD: use environment variables or IAM roles (preferred on AWS)
const s3 = new S3Client({
  region: process.env.AWS_REGION
  // On EC2/Lambda/ECS: no credentials needed — SDK uses IAM role automatically
  // Locally: set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY env vars
});

Real-World Example

AWS publishes a Threat Research report annually. Hardcoded credentials in public GitHub repos are the #1 source of initial AWS account compromise. Typical attack timeline: commit with credentials → GitHub push → GitGuardian or malicious scanner detects within 30 seconds → S3 exfiltration or EC2 mining instances launched within 5 minutes.

How to Prevent It

  • Use IAM roles for EC2/Lambda/ECS — the SDK picks up credentials automatically with no keys in code
  • For local development, use aws configure to store credentials in ~/.aws/credentials (outside your repo)
  • If you need long-lived keys (CI/CD), store them as encrypted secrets in GitHub Actions / your CI provider
  • Enable GitGuardian or use git-secrets as a pre-commit hook to prevent key commits
  • Rotate all AWS keys immediately if they were ever committed — then audit CloudTrail for misuse

Affected Technologies

Node.jsPython

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

S3 Bucket Public Access

critical

Your S3 bucket is publicly readable due to a public ACL, disabled Block Public Access settings, or a wildcard bucket policy — anyone on the internet can list and download your files.

CWE-284OWASP A05:2021

Cloud Metadata SSRF

critical

Your app fetches user-supplied URLs without blocking cloud metadata endpoints like 169.254.169.254, letting attackers steal your cloud credentials via SSRF.

CWE-918OWASP A10:2021

IAM Overly Permissive Policy

high

Your IAM policy uses Action: '*' or Resource: '*', granting far more permissions than needed and turning any credential leak into a full account takeover.

CWE-269OWASP A01:2021

Cloud Storage CORS Misconfiguration

medium

Your S3 or GCS bucket has CORS configured with origin: '*' or AllowedMethods: ['*'], letting any website read your storage responses and potentially access private data.

CWE-942OWASP A05:2021