cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Kyaw_Myo_Oo
Contributor III

AWS and Google Cloud command-line tools can expose secrets in CI/CD logs

Dear All,

 

Security researchers warn that certain commands executed in the AWS and Google Cloud command-line interfaces (CLIs) will return credentials and other secrets stored in environment variables as part of the standard output. If such commands are executed as part of build workflows in CI/CD tools the secrets will be included in the returned build logs.

AWS and Google Cloud consider this expected behavior and it is up to users to take steps to ensure sensitive command outputs are not saved in logs or that sensitive credentials are stored securely and not in environment variables. The Microsoft Azure CLI had a similar behavior but Microsoft flagged it as an information disclosure vulnerability and fixed it back in November.

 

https://www.csoonline.com/article/2092486/aws-and-google-cloud-command-line-tools-can-expose-secrets...

 

 

Kyaw Myo Oo
Manager , CB BANK PCL
CCIE #58769 | PCNSE | SAA-C03 | CCSM | CISSP | PMP
2 Replies
ericgeater
Community Champion

AWS and Google Cloud consider this expected behavior

 

That's one way to get your customers to correct bad behavior and clean up their repositories, I guess.

-----------
A claim is as good as its veracity.
Kyaw_Myo_Oo
Contributor III

Thank you for contributing your thoughts @ericgeater.

 

 

Kyaw Myo Oo
Manager , CB BANK PCL
CCIE #58769 | PCNSE | SAA-C03 | CCSM | CISSP | PMP