[New Rule] Potential AWS Credential Exposure

[bm11100]

Description

Noting these AWS API calls that return credentials. These could be split into multiple rules based on different datasets or a single rule targeting all possible exposures based on noise testing.

Required Info

• Eventing Sources:

• Target Operating Systems:

• Platforms aws

• Target ECS Version: x.x.x

• New fields required in ECS for this?

• Related issues or PRs

Optional Info

• References: https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a https://kmcquade.com/2020/12/sensitive-aws-api-calls/

APIs

chime:CreateApiKey
codepipeline:PollForJobs
cognito-identity:GetOpenIdToken
cognito-identity:GetOpenIdTokenForDeveloperIdentity
cognito-identity:GetCredentialsForIdentity
connect:GetFederationToken
connect:GetFederationTokens
ecr:GetAuthorizationToken
gamelift:RequestUploadCredentials
iam:CreateAccessKey
iam:CreateLoginProfile
iam:CreateServiceSpecificCredential
iam:ResetServiceSpecificCredential
iam:UpdateAccessKey
lightsail:GetInstanceAccessDetails
lightsail:GetRelationalDatabaseMasterUserPassword
rds-db:connect
redshift:GetClusterCredentials
sso:GetRoleCredentials
mediapackage:RotateChannelCredentials
mediapackage:RotateIngestEndpointCredentials
sts:AssumeRole
sts:AssumeRoleWithSaml
sts:AssumeRoleWithWebIdentity
sts:GetFederationToken
sts:GetSessionToken

[botelastic[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.