Python Hardcoded Aws Credentials
Description
Detects hardcoded AWS credentials in Python code, specifically looking for AWS access keys, secret keys, and session tokens that are directly embedded in the source code. This practice poses a significant security risk as it can lead to credential exposure and unauthorized AWS account access if the code is shared or compromised.
Detection Strategy
• Check if any AWS-related libraries (boto3, boto, botocore, s3fs, pyathena, aiobotocore) are imported in the code
• Look for function arguments or variable assignments with names matching 'aws_access_key_id', 'aws_secret_access_key', or 'aws_session_token'
• Validate if the associated values match the expected patterns: AWS access key ID (20 characters starting with 'A'), secret access key (40 character base64), or session token (270-360 character base64)
• Report a vulnerability when credentials matching these patterns are found hardcoded in the source code
Vulnerable code example
import boto3
# Hardcoded AWS credentials directly in code - severe security risk
client = boto3.client(
"s3",
aws_access_key_id="AKIAJLVYNHUWCPKOPSYQ", # Vulnerable: Hardcoded access key
aws_secret_access_key="jWnyxxxxxxxxxxxxxxxxX7ZQxxxxxxxxxxxxxxxx" # Vulnerable: Hardcoded secret
)✅ Secure code example
import boto3
import os
# Load credentials from environment variables - more secure
client = boto3.client(
"s3",
aws_access_key_id=os.environ.get("AWS_ACCESS_KEY_ID"), # Safe: credentials from environment
aws_secret_access_key=os.environ.get("AWS_SECRET_ACCESS_KEY") # Safe: credentials from environment...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.