2. Emily Gladstone Cole @UnixGeekEm
Agenda
1. Introduction
2. Nightmare #1: Access Keys in Source Code
3. Nightmare #2: Old Access Keys
4. Nightmare #3: Keys on Disk
5. Access Key Best Practices
3. Emily Gladstone Cole @UnixGeekEm
Who is this Emily Person Anyway?
PAST
CURRENT
FUN FACTS
● UNIX SysAdmin/Operations background
● Experience in Security Incident Response, Security Research,
Security Engineering
● Senior Security Engineer at
● Mentor for SANS’ Women’s CyberTalent Immersion Academy
● My favorite computer game is Nethack
● None of the cats you will see here today are mine
4. Emily Gladstone Cole @UnixGeekEm
Disclaimers
I am not affiliated with Amazon or AWS.
I’m not being paid to give this talk.
I’m sharing what I have learned. There
are many others who know more about
AWS and Access Keys than I do. Some of
them are cited in the references.
5. Emily Gladstone Cole @UnixGeekEm
What is an AWS Access Key?
Access Key ID:
● Always starts with AKIA…
● Is the equivalent to your username
Secret Access Key:
● Secret really means secret
● Treat this key like a password
6. Emily Gladstone Cole @UnixGeekEm
When your Access Key is
compromised, an attacker
can do anything you can.
7. Emily Gladstone Cole @UnixGeekEm
For those of
you who
already knew
all this, this
slide is for
you.
On to the
good stuff!
9. Emily Gladstone Cole @UnixGeekEm
Access Keys in Source Code
When the repo is public, this means almost instant
compromise of the keys.
Remember: attackers can do anything you can, using
your Access Key and Secret Key.
● View and copy customer data
● Bitcoin Mining
11. Emily Gladstone Cole @UnixGeekEm
How can YOU find Access Keys in Source Code?
We can detect them with source code scanners!
● truffleHog
● git-secrets
● detect-secrets (can be run as a pre-commit hook)!
12. Emily Gladstone Cole @UnixGeekEm
What if I find an Access Key
● Rotate the key so it’s no longer valid
● Delete the commit that contained the Access Key so it’s not
sitting in the commit history
● Talk with your Dev team about storing keys differently
13. Emily Gladstone Cole @UnixGeekEm
DIY Honeypots: Canary Tokens
Canary Tokens are one implementation of a honeytoken.
● Can be in the form of a document, a key, a QR code, a DNS record…
● Alerts can be generated when the token is accessed, either to an email
address or a webhook
● You can know if someone is in your data
● Your Dev team will probably find this idea fun
15. Emily Gladstone Cole @UnixGeekEm
Access Keys get old
The longer an Access Key is around, the greater the chance it can be found
somewhere it shouldn’t.
16. Emily Gladstone Cole @UnixGeekEm
The longer Access Keys are
around, the higher the
chances something may
happen to them accidentally.
17. Emily Gladstone Cole @UnixGeekEm
Solution: Rotate your Access Keys
You can rotate your Access Keys manually, and it’s fairly straightforward.
There are tools to help you rotate your Access Keys automatically, like
aws-rotate-iam-keys which works well for individuals, but for application
users, it’s not that simple.
20. Emily Gladstone Cole @UnixGeekEm
Other ways to expose keys on disk
● Store them in environment variables
● Write them to log files
● Expose them through the Amazon Meta Data service v1 (Capital One)
21. Emily Gladstone Cole @UnixGeekEm
Hide Access Keys: aws-vault and vault
Using a vault tool will allow you to store your keys in a keystore, and interact
with the pointers, not the actual keys.
I don’t recommend storing shared AWS Access Keys in password managers.
22. Emily Gladstone Cole @UnixGeekEm
Don’t use permanent Access Keys at all
● Security Token Service can generate temporary credentials
○ Credentials inherently expire
● Roles use STS to delegate permissions
○ Roles can be created with Policies assigned
○ Can be used to grant access to a user in another account (cross-account)
○ Can be used by instances or applications
24. Emily Gladstone Cole @UnixGeekEm
If you were napping during the
first part of my talk, here’s a
quick meme to catch you up.
25. Emily Gladstone Cole @UnixGeekEm
Squad Goals: Access Keys are accessible only when needed
● Don’t have permanently-valid Keys sitting around in your source code
● Don’t have them sitting on disk
● Don’t have them loaded in environment variables
● Do have Keys that are only valid for a short amount of time
● Do have unique Keys for each user and application
● Only request a Key when you are about to use it
26. Emily Gladstone Cole @UnixGeekEm
Coming Soon: SSO and AWS
Can be used with Okta, Onelogin, Ping...
Here are some Okta-based integrations:
● okta-aws
● okta-awscli
● okta-aws-cli-assume-role
● AWS recently came out with an Okta integration as well!
Tying AWS into our SSO provider is our next step. We haven’t built that yet at
my company, but we’re working on it right now.