- Sometimes developers add their env file to git commit which contains AWS Access key, to avoid this, we can use git HOOK to check personal key first and use merge_request pipeline job to check before merging the commit to branch
Whatβs In This Document
π How to scan all AWS keys
https://github.com/vumdao/scan-iam-keys/blob/master/scan-iam-keys.py
#!/usr/bin/env python import boto3 import subprocess as sub import re import threading def get_commit_change_content(): output = sub.check_output(["git", "show"]) return output def scan_iam_access_keys(): iam = boto3.client('iam') users = iam.list_users()['Users'] commit_change = get_commit_change_content() def check_key(the_key): if re.search(the_key['AccessKeyId'], str(commit_change)): print(f"Detect {the_key['AccessKeyId']}") def check_user(the_user): user_name = the_user['UserName'] print("Get keys") access_keys = iam.list_access_keys(UserName=user_name)['AccessKeyMetadata'] for key in access_keys: check_key(key) print(f"Done {user_name}") for user in users: user_thread = threading.Thread(target=check_user, args=(user,)) user_thread.start() if __name__ == '__main__': scan_iam_access_keys() π Test A Commit
- Create text file eg. sample.txt which contains an AWS key
- Run test
β‘ $ ./scan-iam-keys.py Detect AKIAZUFR7JW2ZBEOKUVR Notes:
- For offline way, we can use the pattern
(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}to scan the repository or the commit changes
Top comments (0)