AWS logo
Amazon CodeGuruDetector Library

AWS credentials logged High

Unencrypted AWS credentials are logged. This could expose those credentials to an attacker. Encrypt sensitive data, such as credentials, before they are logged to make the code more secure.

Detector ID
python/aws-logged-credentials@v1.0
Category
Common Weakness Enumeration (CWE) external icon

Noncompliant example

1def log_credentials_noncompliant():
2    import boto3
3    import logging
4    session = boto3.Session()
5    credentials = session.get_credentials()
6    credentials = credentials.get_frozen_credentials()
7    access_key = credentials.access_key
8    secret_key = credentials.secret_key
9    # Noncompliant: credentials are written to the logger.
10    logging.info('Access key: ', access_key)
11    logging.info('secret access key: ', secret_key)

Compliant example

1def log_credentials_compliant():
2    import boto3
3    session = boto3.Session()
4    credentials = session.get_credentials()
5    credentials = credentials.get_frozen_credentials()
6    access_key = credentials.access_key
7    secret_key = credentials.secret_key
8    # Compliant: avoids writing credentials to the logger.
9    session = boto3.Session(
10        aws_access_key_id=access_key,
11        aws_secret_access_key=secret_key
12    )