This rule raises an issue when long-term AWS access keys are used directly in code.
Long-term AWS access keys remain valid until manually revoked, making them a significant security risk. Unlike temporary credentials, these keys don’t expire automatically and provide persistent access to your AWS resources. When hardcoded in applications, stored in configuration files, or used in environments where temporary credentials are available, they create unnecessary security exposure. AWS provides several alternatives like IAM roles, temporary credentials through AWS STS, and instance profiles that offer better security practices.
If long-term access keys are compromised, attackers gain persistent access to your AWS resources until the keys are manually revoked. This can lead to unauthorized data access, resource manipulation, unexpected charges, and potential data breaches. The risk is particularly high when keys are embedded in mobile applications, used on EC2 instances, or stored in version control systems.
Use IAM roles or temporary credentials instead of hardcoded access keys to improve security and follow AWS best practices.
import boto3
s3_client = boto3.client(
's3',
aws_access_key_id='AKIAIOSFODNN7EXAMPLE',
aws_secret_access_key='wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLE'
) # Noncompliant: hardcoded access keys are used
import boto3
import os
sts_client = boto3.client('sts')
assumable_role_arn = os.environ.get('ASSUMABLE_ROLE_ARN', 'arn:aws:iam::account-of-role-to-assume:role/name-of-role')
assumed_role_object = sts_client.assume_role(
RoleArn=assumable_role_arn,
RoleSessionName="AssumeRoleSession1"
)
credentials = assumed_role_object['Credentials']
s3_client = boto3.client('s3')
s3_client = boto3.client(
's3',
aws_access_key_id=credentials['AccessKeyId'],
aws_secret_access_key=credentials['SecretAccessKey'],
aws_session_token=credentials['SessionToken']
)