In AWS, long-term access keys provide persistent programmatic access to AWS services but carry a higher risk than temporary credentials because they do not expire automatically.
This rule detects uses of com.amazonaws.auth.BasicAWSCredentials, a class that creates long-term credential objects. Unlike temporary
credentials, long-term access keys remain valid indefinitely until manually revoked, making them a persistent risk if exposed. Using long-term keys in
application code increases the risk of accidental exposure and makes credential rotation harder to enforce.
If a long-term access key is exposed through source code, configuration files, or logs, an attacker gains persistent access to AWS resources until the key is manually revoked. This can lead to unauthorized access to sensitive data, privilege escalation, or significant financial costs from resource abuse.
The preferred approach is to avoid static credentials entirely by using IAM roles, which provide short-lived credentials automatically. On EC2, ECS, or Lambda, assign an IAM role to the instance or task — the AWS SDK picks up the credentials without any code changes via the default credential provider chain.
Where temporary credentials must be obtained programmatically, use AWS STS to request short-lived session credentials.
import com.amazonaws.auth.AWSCredentials; import com.amazonaws.auth.BasicAWSCredentials; // ... AWSCredentials awsCredentials = new BasicAWSCredentials(accessKeyId, secretAccessKey); // Noncompliant
// session_creds obtained via an STS AssumeRole call BasicSessionCredentials sessionCredentials = new BasicSessionCredentials( session_creds.getAccessKeyId(), session_creds.getSecretAccessKey(), session_creds.getSessionToken());