Go Hardcoded Aws Secret Access Key
Description
Detects hardcoded AWS secret access keys in Go code that uses the AWS SDK. This vulnerability exposes sensitive credentials directly in source code, making them visible to anyone with access to the codebase and potentially leading to unauthorized AWS resource access.
Detection Strategy
• Code imports the AWS SDK for Go (github.com/aws/aws-sdk-go)
• Function calls are made to AWS SDK methods that accept secret access keys as parameters
• The secret access key parameter contains a hardcoded string value instead of being retrieved from environment variables, configuration files, or secure credential stores
• For positional parameter methods: both the access key ID (first parameter) and secret access key (second parameter) are hardcoded strings
• For struct-based methods: the secret access key field within the configuration struct contains a hardcoded string value
Vulnerable code example
package main
import (
"github.com/aws/aws-sdk-go/aws/credentials"
"github.com/aws/aws-sdk-go-v2/credentials"
)
func vulnerableStaticCredentials() *credentials.Credentials {...✅ Secure code example
package main
import (
"os"
"github.com/aws/aws-sdk-go/aws/credentials"
credentialsv2 "github.com/aws/aws-sdk-go-v2/credentials"
)
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.