AWS credentials logged High

Unencrypted AWS credentials are logged. This could expose those credentials to an attacker. Encrypt sensitive data, such as credentials, before they are logged to make the code more secure.

Detector ID
python/aws-logged-credentials@v1.0
Category

Noncompliant example

1def log_credentials_noncompliant():
2    import boto3
3    import logging
4    session = boto3.Session()
5    credentials = session.get_credentials()
6    credentials = credentials.get_frozen_credentials()
7    access_key = credentials.access_key
8    secret_key = credentials.secret_key
9    # Noncompliant: credentials are written to the logger.
10    logging.info('Access key: ', access_key)
11    logging.info('secret access key: ', secret_key)

Compliant example

1def log_credentials_compliant():
2    import boto3
3    session = boto3.Session()
4    credentials = session.get_credentials()
5    credentials = credentials.get_frozen_credentials()
6    access_key = credentials.access_key
7    secret_key = credentials.secret_key
8    # Compliant: avoids writing credentials to the logger.
9    session = boto3.Session(
10        aws_access_key_id=access_key,
11        aws_secret_access_key=secret_key
12    )