AWS's "Secret Key" is (obviously) a secret, but should an "Access Key" alone (without the corresponding secret key) be considered a secret too?
-
Think of the access key as your username (completely disposable of course) and the secret key as your password, so the same rules apply on secrecy, at least imho. – RandomUs1r Jun 18 '18 at 22:29
3 Answers
The Access Key ID is used for identifying the access key in logs, configuration, etc. It could in some environments be considered sensitive data if you're looking to not release who accesses which systems and when, but it is not secret.
- 38,090
- 9
- 93
- 171
-
7This is correct. The AWS AccessKeyId is used in Presigned URLs, API requests, etc. Although everything should be kept secret as much as possible, public display of an AWS account number or access key is not a security vulnerability by themselves. – John Hanley Jul 18 '18 at 21:27
While the AWS Access Key ID is like a username (and the Secret Access Key is like a password), the Access Key ID is also designed to be shared and AWS does this explicitly with the AWS Presigned Object URL feature as mentioned by John Hanley in a previous comment. This is an expanded response.
AWS Presigned Object URLs are shareable links designed to be given to non-authenticated users. The following is a description of AWS Presigned Object URLs from AWS docs:
All objects by default are private. Only the object owner has permission to access these objects. However, the object owner can optionally share objects with others by creating a presigned URL, using their own security credentials, to grant time-limited permission to download the objects.
AWS documentation has a lot of code to create the URLs but I couldn't find example URLs. An example Presigned Object URL is available in the following CloudBerry Lab guide showing 3 query string parameters including AWSAccessKeyId
, Signature
and Expires
.
https://cloudberry-examples.s3.amazonaws.com/invoices/user1234/july2018.pdf?AWSAccessKeyId=AKIALGKOKBY37F5FZF4I&Signature=bPSs8Kcak%2FgjEqqjOO5cFS022x0%3D&Expires=1531446995
- Guide: "Using Amazon S3 Pre-Signed URLs for Temporary Object Access"
- Guide URL: https://www.cloudberrylab.com/resources/blog/s3-pre-signed-url-guide/
- 549
- 5
- 7
Answer to your question is; Yes, you have to secure the access key and AWS recommends following mechanism for securing access keys:
As a security best practice, an administrator, regularly rotate (change) the access keys for IAM users in your account. Source: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html
You can also create and use temporary access keys, known as temporary security credentials. The advantage of temporary security credentials is that they are short term. After they expire, they're no longer valid. You can use temporary access keys in less secure environments or distribute them to grant users temporary access to resources in your AWS account. Source: https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html
Note: If you consider your Access key as user name and secret key as password. I'm sure you will not share your user name with a hacker to ease his job on hacking your account. Though AWS Access Key is not secret but should be managed as recommended by AWS.
Hope this clarifies your query.
- 2,033
- 1
- 11
- 21