no-hardcoded-credentials-sdk
Detects hardcoded AWS credentials in SDK client configurations. This rule is part of [`eslint-plugin-lambda-security`](https://www.npmjs.com/package/eslint-plug
Keywords: AWS credentials, hardcoded secrets, CWE-798, security, ESLint rule, Lambda, SDK, credential provider, auto-fix, LLM-optimized
Detects hardcoded AWS credentials in SDK client configurations. This rule is part of eslint-plugin-lambda-security and provides LLM-optimized error messages.
⚠️ This rule errors by default in the recommended config.
Quick Summary
| Aspect | Details |
|---|---|
| CWE Reference | CWE-798 (Use of Hard-coded Credentials) |
| Severity | 🔴 Critical |
| Auto-Fix | ✅ Yes (suggests credential provider) |
| Category | Security |
| Best For | AWS Lambda handlers, SDK configurations, serverless apps |
Vulnerability and Risk
Vulnerability: Hardcoded AWS access keys in source code can be extracted from compiled artifacts, leaked in version control, or exposed through code sharing.
Risk: Attackers gaining access to AWS credentials can:
- Access and exfiltrate data from S3, DynamoDB, etc.
- Spin up resources for crypto mining
- Delete or encrypt data for ransom
- Pivot to other AWS services
Rule Logic Flow
Examples
❌ Incorrect
import { S3Client } from '@aws-sdk/client-s3';
// Hardcoded credentials - CRITICAL VULNERABILITY
const client = new S3Client({
credentials: {
accessKeyId: 'AKIAIOSFODNN7EXAMPLE',
secretAccessKey: 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY',
},
});
// DynamoDB with hardcoded keys
const dynamodb = new DynamoDBClient({
credentials: {
accessKeyId: 'ASIAIOSFODNN7EXAMPLE',
secretAccessKey: 'someSecretKey123456789012345678901234',
},
});✅ Correct
import { S3Client } from '@aws-sdk/client-s3';
import { fromNodeProviderChain } from '@aws-sdk/credential-providers';
// Use credential provider chain - SAFE
const client = new S3Client({
credentials: fromNodeProviderChain(),
});
// Lambda automatically uses execution role - SAFE
const client = new S3Client({});
// Environment variables (handled by Lambda) - SAFE
const client = new S3Client({
credentials: {
accessKeyId: process.env.AWS_ACCESS_KEY_ID,
secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY,
},
});Detection Patterns
| Pattern | Risk Level | Description |
|---|---|---|
AKIA* access key | 🔴 Critical | IAM user access key (permanent) |
ASIA* access key | 🔴 Critical | STS temporary access key |
Literal secretAccessKey | 🔴 Critical | Any hardcoded secret (>=20 chars) |
| Template literal credentials | 🟡 High | Dynamic construction is suspicious |
Options
| Option | Type | Default | Description |
|---|---|---|---|
allowInTests | boolean | true | Allow hardcoded credentials in test files |
{
"rules": {
"lambda-security/no-hardcoded-credentials-sdk": [
"error",
{
"allowInTests": true
}
]
}
}Best Practices
1. Use Lambda Execution Role
// Lambda automatically assumes its execution role
// No credentials needed!
const client = new S3Client({});2. Use Credential Provider Chain
import { fromNodeProviderChain } from '@aws-sdk/credential-providers';
const client = new S3Client({
credentials: fromNodeProviderChain(),
});3. Use AWS Secrets Manager for Third-Party Credentials
import {
SecretsManagerClient,
GetSecretValueCommand,
} from '@aws-sdk/client-secrets-manager';
async function getCredentials() {
const client = new SecretsManagerClient({});
const response = await client.send(
new GetSecretValueCommand({ SecretId: 'my-api-key' }),
);
return JSON.parse(response.SecretString);
}Related Rules
no-secrets-in-env- Detects secrets in environment variable definitionsno-env-logging- Detects logging of environment variables
Known False Negatives
The following patterns are not detected due to static analysis limitations:
Credentials from Variable
Why: Credential objects stored in variables are not analyzed.
// ❌ NOT DETECTED - Credentials from variable
const creds = {
accessKeyId: 'AKIAIOSFODNN7EXAMPLE',
secretAccessKey: 'wJalrXUtnFEMI/K7MDENG...',
};
const client = new S3Client({ credentials: creds });Mitigation: Use credential providers. Never store credentials in variables.
Credentials from Import
Why: Credentials imported from other modules are not visible.
// ❌ NOT DETECTED - Credentials from import
import { awsCredentials } from './config';
const client = new S3Client({ credentials: awsCredentials });Mitigation: Apply rule to config modules. Use credential providers.
Base64/Encoded Credentials
Why: Encoded credentials are not decoded.
// ❌ NOT DETECTED - Encoded credentials
const key = Buffer.from('QUtJQUlP...', 'base64').toString();
const client = new S3Client({
credentials: { accessKeyId: key, secretAccessKey: '...' },
});Mitigation: Never encode credentials as an obfuscation technique.
Third-Party AWS Wrappers
Why: Only official AWS SDK patterns are recognized.
// ❌ NOT DETECTED - Third-party wrapper
import { createS3Client } from 'my-aws-helper';
const client = createS3Client({
accessKeyId: 'AKIA...',
});Mitigation: Configure rule for third-party library patterns.
Resources
Error Message Format
The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:
🔒 CWE-798 OWASP:A04 CVSS:9.8 | Hardcoded Credentials detected | CRITICAL [SOC2,PCI-DSS,HIPAA,GDPR,ISO27001,NIST-CSF]
Fix: Review and apply the recommended fix | https://owasp.org/Top10/A04_2021/Message Components
| Component | Purpose | Example |
|---|---|---|
| Risk Standards | Security benchmarks | CWE-798 OWASP:A04 CVSS:9.8 |
| Issue Description | Specific vulnerability | Hardcoded Credentials detected |
| Severity & Compliance | Impact assessment | CRITICAL [SOC2,PCI-DSS,HIPAA,GDPR,ISO27001,NIST-CSF] |
| Fix Instruction | Actionable remediation | Follow the remediation steps below |
| Technical Truth | Official reference | OWASP Top 10 |
no-env-logging
Detects logging of environment variables which may contain secrets. This rule is part of [`eslint-plugin-lambda-security`](https://www.npmjs.com/package/eslint-
no-permissive-cors-middy
Detects permissive CORS configurations in Middy middleware. This rule is part of [`eslint-plugin-lambda-security`](https://www.npmjs.com/package/eslint-plugin-l