AWS credentials are designed to authenticate and authorize requests to AWS.
If your application interacts with AWS then it requires AWS credentials to access all the resources it needs to function properly. Resources that can be accessed depend on the permission granted to the AWS account. Worst case scenario: the credential authenticates to the AWS account root user who has unrestricted access to all resources in your AWS account, including billing information.
Therefore only administrators should have access to the AWS credentials used by your application.
As a consequence, AWS credentials should not be stored along with the application code as they would grant special privilege to anyone who has access to the application source code.
Credentials should be stored outside of the code in a file that is never committed to your application code repository.
If possible, a better alternative is to use your cloud provider’s service for managing secrets. On AWS this service is called Secret Manager.
When credentials are disclosed in the application code, consider them as compromised and revoke them immediately.
This rule flags instances of:
- AWS Secret Access Key
- AWS Access ID
- AWS Session Token