Securing sensitive data that resides on Amazon Web Services (AWS), enabling security features, is becoming a tough task nowadays. Recently, an AWS employee, DevOps Cloud Engineer, leaked over a gigabyte worth of data to a personal GitHub repository. The leak was identified by a third-party cybersecurity vendor on the exposed GitHub repository within 30 minutes of the upload. The documents contained sensitive data such as log files and resource templates with hostnames of ‘probable’ AWS customers.
Over the years, AWS encryption keys have been exposed, accidentally, multiple times. A recent paper by the North Carolina State University (NCSU) reports that several API keys or tokens can be routinely found on GitHub, compromising high-value targets. The six-month study found that over 100,00 repositories suffered leaks with 1792 unique keys leaked every day on the platform.
Is this GitHub’s fault?
One might blame GitHub for its expansive repository and its search API that makes it easy for anyone to look up secret key data. While the leaks happen on the GitHub, the onus lies on the developers to protect sensitive data.
Most of the times developers get careless when it comes to commits and code pushes on GitHub. For example, APIs and SSH keys are embedded in the website source code or on public repos. Up to 81 percent of these ‘leaks’ remain in GitHub repos for over 16 days or remain undetected. The top 4 ways to scan GitHub repos for credentials being:
- GitHub dorks
- Repo security scanner
A significant finding from the study was that the average
discovery time for a leaked key is 20 seconds; leaving little room for fixing the human error. The cost of such leaks goes beyond the monetary loss to a company. Data leaks impact all aspects of a business such as brand value, reputation, loss of customer trust and satisfaction, and loss of customers. For example, in 2017, Uber revealed a massive data leak due to a security breach on Uber’s AWS S3 buckets. Over 57 million customer and driver data was stolen from Uber. The credentials for AWS were found on a private repository by a hacker and kept a secret for over a year. The aftermath? Uber had to pay a fine of $148 million for failing to disclose the breach on time. Its reputation was severely affected, with countries like the United Kingdom, Denmark, and Hungary refusing to renew its license or forcing it to quit. The breach could have been avoided if Uber had implemented multifactor authentication on repos that included AWS credentials.
Apart from in-house developers, careless data leaks are exacerbated by third-party developers that lack proper security training. Hackers are always on the lookout for vulnerabilities and crawling publicly accessible data to access sensitive source code, hard-coded credentials, and API keys.
Measures to secure your AWS Keys
Securing any process or system begins with a structured secure software development policy that is properly enforced and monitored. Most large companies invest in security training for their developers, but some keys do slip through the crack. The main problem identified Developers and Engineers at organizations that use AWS are unaware of the AWS suite of security tools to store sensitive data. Some of the tools AWS provides are:
- AWS Secrets Manager: It helps organizations to protect data that are required to access organizational applications, services, and IT resources. By using this service, companies can manage database credentials, API keys, and other sensitive data throughout its lifecycle.
- AWS Key Management Service (KMS): By using KMS, we can create and manage cryptographic keys and control their use.
- AWS Certificate Manager (ACM): ACM handles the process of creating and managing public SSL/TLS certificates for AWS based websites and applications.
GitHub is an essential part of any organization’s or individual’s application development process. A few key practices can help avoid security issues or help in quick resolution of issues and protect sensitive data from prying eyes of a hacker. GitHub, on its part, is helping secure the platform with partnerships and third-party online services, such as Token Scanning, to improve detection of credentials, API keys, and tokens by matching certain patterns and notifying the service provider.