Use Temporary Credentials

Use Temporary credentials

IAM users and Access Keys are long-term/durable credentials. These are not rotated until someone acts to rotate them. These credentials may used by recenlty terminated employees, if there was no record of them having (or being the owner) of those credentials.

These credentials present multiple risks, therefore, we should avoid the use of IAM users and Access Keys whenever possible and should strive not to use them at all in the future.

Use roles instead: Roles provide temporary access (includes a time-bound token), reducing the risk of compromise. If an instance needs to access AWS resources, don’t use access keys, use IAM Instance Profiles (roles) instead. If it’s a Lambda function, use Lambda execution roles. If it’s a Amazon ECS task, use ECS task execution IAM roles, etc.

SCPs

Instance Profiles will allow the OS to have credentials to AWS resources that the application (or script) can leverage without having embeded credentials:
SCPs

Well Architected Framework Recommendation Mapping

Risk Mitigation

  • Access keys shared via mail / instant messaging such as slack channels, may be compromised.
  • Ex-employees may retain access to durable credentials.
  • If Access Keys are stored in code, everyone that have read access to review the code (such as testers / reviewers) can grab those credentials and use it outside the code, or sell them to adversaries.
  • Developers may share with the opensource community in open repositories such as GitHub and credentials may be exposed.
  • Adversaries look for credentials such as Access Keys in open repositories.
  • Hardcoded access keys are hard to rotate (particularly important in case of a known compromise where you need to rotate immediately, and if both access keys of an IAM user are in use, the rotation will likely cause outages).
  • These risks also apply to secrets stored in config files on the same repository as the code.

Guidance for assessments

  • Are you leveraging roles (such as EC2 instance profiles or Lambda execution roles) for temporary access in your applications ? (which porcentage of your applications use roles vs durable credentials?)
  • Are your developers trained to understand that they should not be storing secrets in code ?
  • Are you controling that no secrets are stored in code ?
  • Are you leveraging AWS Secrets Manager to store & rotate secrets such as Database passwords ?

AWS Secrets Manager videos

  • Back to basics: Secrets Manager
  • AWS Secrets Manager Demo

See also

Use temporary credentials

Pricing

https://aws.amazon.com/secrets-manager/pricing

You can try AWS Secrets Manager at no additional cost with a 30-day free trial. The free trial allows you to rotate, manage, and retrieve sensitive data for a period of 30 days.