Draft: Add rules for additional AWS secrets
What does this MR do?
The merge request updates the rules for identifying AWS credentials and sensitive IDs.
It adds three new rules to detect AWS Secrets and modifies the existing rule description.
- AWS Temporary Access Keys
- AWS Service Bearer Token
- AWS Cognito Identity Pool IDs
There is public offensive security research and automated tooling in which an attacker who finds an identity pool id for an identity pool that allows self-registration or unauthenticated access can obtain valid AWS credentials. An attacker who is searching through public code and repositories might use this as a foothold. The prerequisites to do so are:
- the Cognito Identity Pool ID
- the AWS Account ID (considered by AWS to not be sensitive, and can be reverse engineered with AWS access keys)
Additionally, this MR updates the description of the existing rule for AWS Access Tokens to "AWS Longterm Access Key" which uses the AWS terminology of "key" rather than "token" but stresses the difference between temporary and longterm credentials.
These changes enhance the tool's ability to identify sensitive AWS secrets for users who might accidentally commit them.
What are the relevant issue numbers?
gitlab-org/security-products/tests/secrets!58 (merged) - Adds necessary secrets for pipeline success
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests updated/added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer