Protect AWS account IDs exposed by taskcat logs #2
Assignees
Labels
enhancement
New feature or request
Comments
ShahradR
added a commit
to ShahradR/s3-logging
that referenced
this issue
Jun 27, 2020
Add integration tests to the CI pipeline using the action-taskcat GitHub Action (see ShahradR/action-taskcat). This workflow additionally leverages the configure-aws-credentials (see aws-actions/configure-aws-credentials) to manage AWS credentials. That action should mask the AWS account ID as a side-effect, which should help mitigate some security issues. Because the action is still in development, the current version of action-taskcat is referenced using the commit ID. This will need to updated once the action is released and properly tagged. Associated issues: #3, ShahradR/action-taskcat#2
ShahradR
added a commit
that referenced
this issue
Sep 27, 2020
Add a UML sequence diagram outlining the logic for the post-entrypoint script, which is responsible for: - masking the AWS account ID from the taskcat_output logs - publishing the sanitized taskcat_output logs as artifacts Associated issue: #2
ShahradR
added a commit
that referenced
this issue
Sep 27, 2020
Add the replace-in-file Node module (https://git.io/JUBEz) as a dependency to this project. This module will be used to mask the AWS account ID in the files under the taskcat_outputs directory, should the ID have been printed in the logs. Associated issue: #2
ShahradR
added a commit
that referenced
this issue
Sep 27, 2020
Add the glob Node module (https://git.io/v5fMF) as a dev dependency to this project. This module is used by replace-in-file to match patterns when searching for files and folders. While the module is not directly used in the project, we reference glob in unit tests to mock different paths without hitting the filesystem, ensuring that the configuration passed to replace-in-file matches log files in the taskcat_outputs/ directory. Associated issue: #2
ShahradR
added a commit
that referenced
this issue
Sep 27, 2020
Implement the maskAccountId function, which is responsible for replacing instances of the AWS account ID found in the taskcat_output logs with "***", masking them before publishing the artifacts. This commit also introduces unit tests covering the new function. Associated issue: #2
ShahradR
added a commit
that referenced
this issue
Sep 27, 2020
Update the end-to-end tests in action-taskcat.test.ts to fix the code breaking the "no-var" and "@typescript-eslint/no-inferrable-types" ESLint rules. Associated issue: #2
ShahradR
added a commit
that referenced
this issue
Nov 29, 2020
Baseline pre-commit hooks and Git files
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
taskcat includes the account ID in its output and logs. While the account ID is not as sensitive as a password or an access key, and is even shared when configuring cross-account access, an attacker can use that information to identify and exploit vulnerable IAM resources, as outlined in this Rhino Security Labs blog post.
Exposing an account ID could make it unsuitable for use in open-source projects, where the pipeline's output, including the would be made available to anyone on the internet.
This issue is to determine a methodology for creating AWS accounts for taskcat's end-to-end tests, whereas the build pipeline would run using GitHub Actions, but while limiting the attack surface.
The text was updated successfully, but these errors were encountered: