Base64 High Entropy String

Bridgecrew Policy ID: BC_GIT_6
Checkov Check ID: CKV_SECRET_6
Severity: LOW

Base64 High Entropy Strings

Description

Entropy checks help detect unstructured secrets by measuring the entropy level of a single string. Entropy is a concept used to assign a numerical score to how unpredictable a password is or the likelihood of highly random data in a string of characters. Strings with a high entropy score are flagged as suspected secrets.

Fix - Buildtime

Multiple Services

Step 1: Revoke the exposed secret.
Start by understanding what services were impacted and refer to the corresponding API documentation to learn how to revoke and rotate the secret.

Step 2: Clean the git history.
Go under the settings section of your GitHub project and chose the change visibility button at the bottom.

Step 3: Check any relevant access logs to ensure the key was not utilized during the compromised period.

Fix - Terraform

resource "aws_glue_connection" "examplevpc" {
  connection_properties = {
    JDBC_CONNECTION_URL = "jdbc:mysql://${aws_rds_cluster.example.endpoint}/exampledatabase"
 -   PASSWORD            = "valuethatdoesntcontainsecretword"
    USERNAME            = "exampleusername"
  }

  name = "example"

  physical_connection_requirements {
    availability_zone      = aws_subnet.example.availability_zone
    security_group_id_list = [aws_security_group.example.id]
    subnet_id              = aws_subnet.example.id
  }
}

Don't hardcode the secret in the resource, pull in dynamically from a secret source of your choice e.g. AWS parameter store, and if already committed to source follow the git instructions stated previously.