Ensure AWS access keys and secrets are not hard coded in infrastructure

Error: AWS access keys and secrets are hard coded in infrastructure

Bridgecrew Policy ID: BC_AWS_SECRETS_5
Checkov Check ID: CKV_AWS_41
Bridgecrew Severity: CRITICAL
Prisma Cloud Severity: HIGH

AWS access keys and secrets are hard coded in infrastructure

Description

When accessing AWS programmatically users can select to use an access key to verify their identity, and the identity of their applications. An access key consists of an access key ID and a secret access key. Anyone with an access key has the same level of access to AWS resources.

We recommend you protect access keys and keep them private. Specifically, do not store hard coded keys and secrets in infrastructure such as code, or other version-controlled configuration settings.

Fix - Buildtime

Terraform

You really should not add your secrets to your Infrastructure code, obtain AWS through the keychain e.g. via Environmental variables.
Remove any reference to access_key and secret_key.

provider "aws" {
  region = var.region
  - access_key = "NOTEXACTLYAKEY"
  - secret_key = "NOTACTUALLYASECRET"
}