In AWS, long-term access keys provide persistent programmatic access to AWS services but carry a higher risk than temporary credentials because they do not expire automatically.

Why is this an issue?

This rule detects uses of com.amazonaws.auth.BasicAWSCredentials, a class that creates long-term credential objects. Unlike temporary credentials, long-term access keys remain valid indefinitely until manually revoked, making them a persistent risk if exposed. Using long-term keys in application code increases the risk of accidental exposure and makes credential rotation harder to enforce.

What is the potential impact?

If a long-term access key is exposed through source code, configuration files, or logs, an attacker gains persistent access to AWS resources until the key is manually revoked. This can lead to unauthorized access to sensitive data, privilege escalation, or significant financial costs from resource abuse.

How to fix it

The preferred approach is to avoid static credentials entirely by using IAM roles, which provide short-lived credentials automatically. On EC2, ECS, or Lambda, assign an IAM role to the instance or task — the AWS SDK picks up the credentials without any code changes via the default credential provider chain.

Where temporary credentials must be obtained programmatically, use AWS STS to request short-lived session credentials.

Code examples

Noncompliant code example

import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.BasicAWSCredentials;
// ...

AWSCredentials awsCredentials = new BasicAWSCredentials(accessKeyId, secretAccessKey); // Noncompliant

Compliant solution

// session_creds obtained via an STS AssumeRole call
BasicSessionCredentials sessionCredentials = new BasicSessionCredentials(
   session_creds.getAccessKeyId(),
   session_creds.getSecretAccessKey(),
   session_creds.getSessionToken());

Resources

Documentation

Standards