Open pcgeek86 opened 1 year ago
kaplanlior
commented
1 year ago Thanks Trevor for the report.
Do you want to try and create a query to catch this case? https://docs.kics.io/latest/creating-queries/
We'll be happy to help if you're up to the challenge (:
pcgeek86
commented
1 year ago I'll have to see what level of effort is required to contribute that query! Just wanted to get it documented for starters. :)
FooBartn
commented
1 year ago I'll have to see what level of effort is required to contribute that query! Just wanted to get it documented for starters. :)
There is a secrets query that would catch this in a different way. It goes off of specific formatting. Your example access key and secret do not look like real ones. Just a note in case that would work for you
pcgeek86
commented
1 year ago Yeah, I know they aren't real access key and secret key. Posting real ones wouldn't have been prudent.
Also keep in mind that you might not necessarily find "real" values hard-coded in these templates. You might also find insecure references to variables, such as var.aws_key_id or var.aws_secret_key. In that scenario, a secrets detector wouldn't be adequate.
The AWS provider for Terraform accepts environment variables as inputs, so you don't need to specify these credential values in the provider block at all.
I wouldn't only consider this a "critical" level issue if someone did indeed hard-code credentials. Specifying variable references could still be a "warning" level or similar, and recommend using environment variables. There's not really a right or wrong way, just suggestions to help developers understand their options.
Is your feature request related to a problem? Please describe.
Terraform projects generally should not hard-code credentials (AWS IAM Access Key, Secret Key) into the Terraform provider configuration. During my testing, KICS didn't flag this.
access_keyproperty should not be presentsecret_keyproperty should not be present