AWS, Google, and Azure CLI Tools Could Leak Credentials in Build Logs

AWS, Google, and Azure CLI Tools Could Leak Credentials in Build Logs

April 16, 2024 at 10:36AM

New cybersecurity research reveals that CLI tools from AWS and Google Cloud can expose sensitive credentials in build logs, posing risks to organizations. Microsoft has addressed the issue, while Amazon and Google consider it expected behavior, advising organizations to avoid storing secrets in environment variables and use dedicated secrets store services. Adversaries could potentially access sensitive information if environment variables are exposed.

The meeting notes discuss a new cybersecurity vulnerability called LeakyCLI, which exposes sensitive credentials in build logs of Amazon Web Services (AWS) and Google Cloud CLI tools. The vulnerability can leak access tokens and other sensitive data through GitHub Actions, CircleCI, TravisCI, and Cloud Build logs. Microsoft has addressed the issue with a security update, while Amazon and Google advise organizations to avoid storing secrets in environment variables and instead use dedicated secrets store services like AWS Secrets Manager or Google Cloud Secret Manager. Additionally, Google recommends using the “–no-user-output-enabled” option to suppress the printing of command output to standard output and standard error in the terminal. The notes also highlight the potential risks associated with this vulnerability and the need for organizations to take steps to secure their environment.

Full Article