Understanding the Risks and Mitigations for AWS Access Keys and GitHub OAuth Tokens

We frequently hear about cybersecurity attacks on organizations in the news, and the financial impact of these breaches can be significant for the companies involved. Just like other IT components, your cloud infrastructure and DevOps environment are also potential targets for cyberattacks. In this article, I’ll share some key strategies, best practices and tips that can help you secure your cloud and DevOps environments, minimizing the risks and protecting your critical systems.

?AWS access keys, secret keys, and GitHub OAuth tokens play crucial roles in managing access to cloud services and version control systems. However, improper handling of these credentials can pose significant security risks.

?

AWS access keys and secret keys

AWS access keys and secret keys authenticate and authorize requests to AWS services. If these keys are exposed, such as through accidentally committing them to a public code repository or including them in configuration files such as in Terraform configuration file or Ansible playbooks they can lead to severe security breaches. An exposed key could allow unauthorized users to access your AWS resources, potentially leading to costly data leaks or malicious changes. Attackers can misuse these keys to execute actions like launching new instances or accessing sensitive data.

To avoid these risks, it's important to use best practices for managing AWS credentials. One key practice is to use IAM roles instead of embedding credentials in your applications. IAM roles provide temporary access to AWS resources without the need for static credentials. When running applications on EC2 instances, assigning IAM roles with appropriate permissions can enhance security. Additionally, you should store credentials in environment variables rather than hardcoding them into your codebase. This practice helps keep your keys secure and out of public view.

Another important measure is to rotate your keys regularly. Regular rotation reduces the risk of compromised credentials being used over extended periods. AWS supports automatic key rotation, which can simplify this process. It’s also crucial to monitor your AWS accounts for unusual activities using services like AWS CloudTrail and AWS Config. These tools help track access and changes, allowing you to quickly identify and respond to potential security incidents. Implementing the principle of least privilege by granting only the necessary permissions further limits the potential damage if credentials are compromised.

?

GitHub OAuth tokens

GitHub OAuth tokens, used for authenticating and authorizing interactions with GitHub APIs, also need careful management. Similar to AWS keys, if OAuth tokens are exposed, they can grant unauthorized access to your repositories and sensitive information. This could result in unauthorized modifications, data breaches, or the introduction of malicious code.

To safeguard GitHub OAuth tokens, avoid hardcoding them in your code or configuration files. Instead, use environment variables or secure storage solutions. For workflows using GitHub Actions, leverage GitHub Secrets, which are encrypted and only accessible within the workflows. When creating OAuth tokens, limit their scope to the minimum necessary permissions. This practice helps contain any potential damage from token exposure. Regularly revoking and regenerating tokens is another important measure, especially if you suspect they may have been compromised. Monitoring token usage through GitHub’s audit logs can also help you spot and address any unusual or unauthorized activities.

Additional Tips

When working with infrastructure as code tools like Terraform and configuration management tools like Ansible, it's equally important to manage your AWS keys securely. Hardcoding these keys directly in Terraform configuration files or Ansible playbooks can expose them to risk, especially if the files are stored in version control systems like GitHub.

In Terraform, one of the best practices is to use environment variables to pass AWS credentials. Terraform automatically picks up the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables. By setting these variables on your local machine or within your CI/CD pipeline, you can ensure that your credentials are not exposed within your code.

Example: Setting AWS Credentials Using Environment Variables

export AWS_ACCESS_KEY_ID=your_access_key
export AWS_SECRET_ACCESS_KEY=your_secret_key        

Terraform will automatically use these environment variables when you run your Terraform configurations.

Alternatively, you can use a credentials file stored outside the codebase. Here’s how you can configure Terraform to use this file:

Example: Using a Credentials File

provider "aws" {
? shared_config_files????? = ["/foo/bar/tf_user/.aws/conf"]
? shared_credentials_files = ["/foo/bar/tf_user/.aws/creds"]
? profile????????????????? = "customprofile"
}        

This keeps your access keys out of your Terraform code and version control, reducing the risk of exposure. In addition, using a tool like HashiCorp Vault to manage and dynamically generate short-lived AWS credentials adds an extra layer of security.

In Ansible, similar best practices apply. You can securely manage AWS keys by using environment variables, as Ansible can automatically access these variables during playbook execution.

Example: Invoking Environment Variables in Ansible playbook ?

---
- name: Launch an EC2 instance using environment variables
? hosts: localhost
? gather_facts: False
? tasks:
??? - name: Launch an EC2 instance
????? ec2_instance:
??????? key_name: my-key
??????? instance_type: t2.micro
??????? image_id: ami-0abcdef1234567890
??????? region: us-east-1
??????? wait: yes
??????? count: 1
??????? aws_access_key: "{{ lookup('env', 'AWS_ACCESS_KEY_ID') }}"
??????? aws_secret_key: "{{ lookup('env', 'AWS_SECRET_ACCESS_KEY') }}"        

Alternatively, you can use Ansible Vault to encrypt sensitive information such as AWS keys. Ansible Vault allows you to store and access encrypted credentials in your playbooks securely. By using Ansible Vault, you ensure that sensitive data remains protected, even if the playbook file is exposed.

Example: Using Ansible Vault

1. Encrypt the credentials using Ansible Vault:

?

ansible-vault encrypt_string 'your_access_key' --name 'aws_access_key_id'
ansible-vault encrypt_string 'your_secret_key' --name 'aws_secret_access_key'        

?

2.?Use the encrypted variables in your playbook:

---
- name: Launch an EC2 instance with encrypted keys
? hosts: localhost
? gather_facts: False
? vars:
??? aws_access_key_id: !vault |
????? $ANSIBLE_VAULT;1.1;AES256? 31393733646336616531353661363665333037353635313961306538336534653031366333656366
????? ...
??? aws_secret_access_key: !vault |
????? $ANSIBLE_VAULT;1.1;AES256????? 32636638646534353662386665303764306636386165313234393838653231363465333633656335
????? ...

? tasks:
??? - name: Launch an instance
????? ec2_instance:
??????? key_name: my-key
??????? instance_type: t2.micro
??????? image_id: ami-0abcdef1234567890
??????? region: us-east-1
??????? wait: yes
??????? count: 1        

Additionally, when passing AWS credentials to Ansible playbooks, avoid including them directly in the playbook file or in plain text within extra variables. Instead, store them in environment variables or use Ansible Vault to encrypt them, ensuring that your playbook remains secure.

Wrap up!

By following these best practices using IAM roles, avoiding hardcoded credentials, rotating keys, monitoring activities, using environment variables, and leveraging tools like Terraform and Ansible Vault you can significantly reduce the risks associated with AWS access keys and GitHub OAuth tokens. Proper credential management is crucial for protecting your systems, maintaining the security of your cloud infrastructure, and safeguarding your DevOps pipelines.