criticalExposed Secrets

AWS Access Keys Committed to Source Code

What Is This Vulnerability?

AWS access key IDs and secret access keys are embedded directly in application code or configuration files. These credentials can grant broad access to AWS services including S3, EC2, Lambda, and IAM, allowing attackers to provision resources, access data, or take over the entire AWS account.

Why It Happens

Developers configure the AWS SDK with hardcoded credentials during development instead of using IAM roles or credential profiles. Quick scripts for one-time tasks often contain inline keys that later get committed. Some developers are unaware of the AWS credential chain and credential provider alternatives.

Example Code

Vulnerables3-upload.ts
import { S3Client, PutObjectCommand } from "@aws-sdk/client-s3";

const s3 = new S3Client({
  region: "us-east-1",
  credentials: {
    accessKeyId: "AKIAIOSFODNN7EXAMPLE",
    secretAccessKey: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
  },
});

export async function uploadFile(bucket: string, key: string, body: Buffer) {
  return s3.send(new PutObjectCommand({ Bucket: bucket, Key: key, Body: body }));
}
Fixeds3-upload.ts
import { S3Client, PutObjectCommand } from "@aws-sdk/client-s3";

const s3 = new S3Client({
  region: process.env.AWS_REGION || "us-east-1",
});

export async function uploadFile(bucket: string, key: string, body: Buffer) {
  return s3.send(new PutObjectCommand({ Bucket: bucket, Key: key, Body: body }));
}

How Hackers Exploit It

Bots continuously scan GitHub for strings matching the AKIA prefix of AWS access keys. Within minutes of a key being committed, attackers can use it to spin up cryptocurrency mining instances, exfiltrate S3 data, create IAM backdoor users, or encrypt resources for ransom. AWS bills can reach tens of thousands of dollars within hours.

How to Fix It

Remove hardcoded credentials and rely on the AWS SDK default credential chain, which automatically checks environment variables, shared credential files, and IAM roles. For production workloads, use IAM roles for EC2 instances or ECS tasks. Immediately deactivate and rotate any exposed keys through the AWS IAM console.

Frequently Asked Questions

How quickly do attackers find exposed AWS keys?
Automated bots can detect AWS keys within minutes of a public commit. Researchers have shown that new keys pushed to public GitHub repos are exploited in under 30 minutes. This is why immediate rotation is critical if a key is ever committed, even briefly.
What is the AWS default credential chain?
The AWS SDK automatically looks for credentials in this order: environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY), shared credentials file (~/.aws/credentials), EC2/ECS instance IAM role, and SSO credentials. By not specifying credentials in code, the SDK uses the most appropriate source for each environment.
Should I use IAM roles instead of access keys?
Yes, whenever possible. IAM roles for EC2 instances, ECS tasks, and Lambda functions provide temporary credentials that are automatically rotated. This eliminates the risk of long-lived keys being leaked and removes the need to manage key rotation yourself.
How do I scan my repo for existing AWS key leaks?
Use tools like git-secrets, truffleHog, or gitleaks to scan your repository history. AWS also offers the aws-secret-scanning feature in CodePipeline, and GitHub provides built-in secret scanning that detects AWS keys and notifies AWS to quarantine them.

Related Security Topics

.env File Accessible Publicly or Committed to Git

Learn about .env file accessible publicly or committed to git and how to fix it.

GitHub Personal Access Token Leaked in Code

Learn about github personal access token leaked in code and how to fix it.

SSH Private Key Committed to Version Control

Learn about ssh private key committed to version control and how to fix it.

Check Your Code for This Vulnerability

Run a free scan to check if your site is affected by aws access keys committed to source code.