use env vars over hardcoded values

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

ID: python-security/aws-boto-credentials

Language: Python

Severity: Notice

Category: Security

CWE: 798

Description

This rule makes sure that the boto3 library use the environments variables to authenticate instead of using hardcoded credentials. This rule checks for the boto3.client and boto3.Session calls. It addresses the CWE-798 rule - uses of hardcoded credentials in code.

Learn More

Non-Compliant Code Examples

from boto3 import client

cli = client(
    's3',
    aws_access_key_id="AGPAFOOBAR",
    aws_secret_access_key="bar",
    aws_session_token=SESSION_TOKEN
)

import boto3 

client = boto3.client(
    's3',
    aws_access_key_id="AGPAFOOBAR",
    aws_secret_access_key="bar",
    aws_session_token=SESSION_TOKEN
)

import boto3

client = boto3.Session(
    's3',
    aws_access_key_id=ACCESS_KEY,
    aws_secret_access_key=SECRET_KEY,
    aws_session_token="foobar" # hard coded credential
)

Compliant Code Examples

import boto3

client = boto3.Session(
    's3',
    aws_session_token=SESSION_TOKEN
)

import boto3

client = boto3.client(
    's3',
    aws_session_token=SESSION_TOKEN
)

client = boto3.client(
    's3',
    aws_access_key_id=ACCESS_KEY,
    aws_secret_access_key=SECRET_KEY,
    aws_session_token=SESSION_TOKEN
)
PREVIEWING: aliciascott/DOCS-9725-Cloudcraft