AWS Credentials in Boto3 and CLI Debug Output

AWS Credentials in Boto3 and CLI Debug Output — and the AWS ConsoleACM.68 Do you know where all your credentials and secrets are being output in logs, debug information, or in the AWS console?

This is a continuation of my series on Automating Cybersecurity Metrics.

I must digress for a moment from the networking topics I’ve been writing about because I’m getting a lot of bugs trying to execute CloudFormation scripts. Those bugs led me to a post on debugging. The post on debugging (up next) led to this warning on sending and share debug output and logs generated by AWS tools, or any other tools for that matter.

One of the things you can do is add debug to the end of CLI commands to get debug output as we’ll see in the next post.

You can do the same with Boto3 (the AWS Python SDK I wrote about here):

Using Python and Boto3 in AWS

What does your debug output contain?

WARNING. Your debug output contains AWS credentials that can be used to access your account. Be careful where you store and with whom you share your debug output.

I’ve had AWS support people ask me to send the output of this debug stack to them before. I’m sure they are just trying to do their job but big huge warning:

This output has a security token in it that can access your AWS account – without MFA – because it is an active session token.

I’m going to show you how we can leverage these tokens in a later blog post but for now, any time you

Read more

Explore the site

More from the blog

Latest News