Benchmark: 3. No hard-coding secrets
Description
When you build applications on AWS, you can use AWS IAM roles to deliver temporary, short-lived credentials for calling AWS services. However, some applications require longer-lived credentials, such as database passwords or other API keys. If this is the case, you should never hard code these secrets in the application or store them in source code.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-top-10
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 3. No hard-coding secrets.
Run this benchmark in your terminal:
powerpipe benchmark run aws_top_10.benchmark.account_security_no_hardcoded_secrets
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_top_10.benchmark.account_security_no_hardcoded_secrets --share
Controls
- EC2 auto scaling group launch configurations user data should not have any sensitive data
- CloudFormation stacks outputs should not have any secrets
- CodeBuild project plaintext environment variables should not contain sensitive AWS values
- EC2 instances user data should not have secrets
- ECS task definition containers should not have secrets passed as environment variables