Virginia Tech® home

AWS Access Keys

Introduction

AWS Access Keys are secrets. There are many secrets used during software development. API keys, database connection strings, static passwords, etc. For general information on Secrets Management, please review the Enterprise Systems Secrets Presentation from the Fall 2022 DCSS meeting.

IAM users with access keys are an account security risk. You must manage your access keys securely. Do not provide your access keys to others. If you expose your access keys, you might give someone permanent access to your account.

  • Do NOT use your account’s root credentials to create access keys.
  • Do NOT put access keys in your application files, source code or git repository.
  • You must understand that Access keys stored in the AWS credentials file on your systems are plaintext.
$ cat .aws/credentials
[default]
aws_access_key_id = AKIXXXXXXXXXXXXXXP46
aws_secret_access_key = XV9XXXXXXXXXXXXXXXXXXXXXXXXXXXXXWIT

As a best practice, use temporary security credentials (such as IAM roles) instead of creating long-term credentials like access keys. Before creating access keys, review the AWS document on alternatives to long-term access keys.

If you must use an access key, please follow the procedure steps below.

Prerequisites

Procedures

  1. Create an IAM identity-based policy with limited actions, limited resources and limited source IPs to accomplish your desired task.
  2. Create an IAM user and group that will be used solely for this task. Put the user into the group.
  3. Apply the policy you created (in step one) to that group.
  4. Deploy the access key to the systems that run your application.
  5. Run your application to ensure it works as expected.

For example, in the IT Security Office, we have a task called Netscan that runs daily to monitor open server ports across campus. Netscan results are stored in an AWS S3 Bucket. We have a dedicated IAM user named netscan-append in a dedicated IAM group named netscan-append-group with the following IAM identity-based policy attached to the group.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::netscan-dfvfgb92/*",
            "Condition": {
                "ForAnyValue:IpAddress": {
                    "aws:SourceIp": [
                        "128.173.0.0/16",
                        "198.82.0.0/16",
                        "2001:468:c80::/48",
                        "2607:b400::/40",
                        "128.172.24.209/32"
                    ]
                }
            }
        }
    ]
}

This policy only allows netscan-append to add a file to one specific S3 bucket when it is running from a Virginia Tech IP address. We have defined a limited action (only append), a limited resource (one specific S3 bucket) and limited source IPs (Virginia Tech IP ranges).

If the netscan-append access key is compromised, the attacker may only use it to add files to one S3 Bucket from a campus IP address. They cannot use it to do anything more.

Other

If you have questions that are not covered in this procedure, please contact the Virginia Tech IT Security Office at itso@vt.edu for a consultation.

Resources