Detect Stripe keys in S3 buckets with Amazon Macie
Many customers building applications on Amazon Web Services (AWS) use Stripe global payment services to help get their product out faster and grow revenue, especially in the internet economy. It’s critical for customers to securely and properly handle the credentials used to authenticate with Stripe services. Much like your AWS API keys, which enable access to your AWS resources, Stripe API keys grant access to the Stripe account, which allows for the movement of real money. Therefore, you must keep Stripe’s API keys secret and well-controlled. And, much like AWS keys, it’s important to invalidate and re-issue Stripe API keys that have been inadvertently committed to GitHub, emitted in logs, or uploaded to Amazon Simple Storage Service (Amazon S3).
<p>Customers have asked us for ways to reduce the risk of unintentionally exposing Stripe API keys, especially when code files and repositories are stored in Amazon S3. To help meet this need, we collaborated with Stripe to develop a new managed data identifier that you can use to help discover and protect Stripe API keys.</p>
<table width="97%">
<tbody>
<tr>
<td>“I’m really glad we could collaborate with AWS to introduce a new managed data identifier in Amazon Macie. Mutual customers of AWS and Stripe can now scan S3 buckets to detect exposed Stripe API keys.”<br>— <strong>Martin Pool,</strong> <em>Staff Engineer in Cloud Security at Stripe</em></td>
</tr>
</tbody>
</table>
<p>In this post, we will show you how to use the new managed data identifier in <a href="https://aws.amazon.com/macie/" target="_blank" rel="noopener">Amazon Macie</a> to discover and protect copies of your <a href="https://stripe.com/docs/keys" target="_blank" rel="noopener">Stripe API keys</a>.</p>
<h2>About Stripe API keys</h2>
<p>Stripe provides payment processing software and services for businesses. Using Stripe’s technology, businesses can accept online payments from customers around the globe.</p>
<p>Stripe authenticates API requests by using API keys, which are included in the request. Stripe takes various measures to help customers keep their secret keys safe and secure. Stripe users can generate<a href="https://stripe.com/docs/keys#test-live-modes" target="_blank" rel="noopener"> test-mode keys</a>, which can only access simulated test data, and which doesn’t move real money. Stripe encourages its customers to use only test API keys for testing and development purposes to reduce the risk of inadvertent disclosure of live keys or of accidentally generating real charges.</p>
<p>Stripe also supports publishable keys, which you can make publicly accessible in your web or mobile app’s client-side code to collect payment information.</p>
<p>In this blog post, we focus on <a href="https://stripe.com/docs/keys#test-live-modes" target="_blank" rel="noopener">live-mode keys</a>, which are the primary security concern because they can access your real data and cause money movement. These keys should be closely held within the production services that need to use them. Stripe allows keys to be restricted to read or write specific API resources, or used only from certain IP ranges, but even with these restrictions, you should still handle live mode keys with caution.</p>
<p>Stripe keys have distinctive prefixes to help you detect them such as <span>sk_live_</span> for secret keys, and <span>rk_live_</span> for restricted keys (which are also secret).</p>
<h2>Amazon Macie </h2>
<p><a href="https://aws.amazon.com/macie/" target="_blank" rel="noopener">Amazon Macie</a> is a fully managed service that uses machine learning (ML) and pattern matching to discover and help protect your sensitive data, such as personally identifiable information. Macie can also provide detailed visibility into your data and help you align with compliance requirements by identifying data that needs to be protected under various regulations, such as the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA).</p>
<p>Macie supports a suite of<a href="https://docs.aws.amazon.com/macie/latest/user/managed-data-identifiers.html" target="_blank" rel="noopener"> managed data identifiers</a> to make it simpler for you to configure and adopt. Managed data identifiers are prebuilt, customizable patterns that help automatically identify sensitive data, such as credit card numbers, social security numbers, and email addresses.</p>
<p>Now, Macie has a new managed data identifier <span>STRIPE_CREDENTIALS</span> that you can use to identify Stripe API secret keys.</p>
<h2>Configure Amazon Macie to detect Stripe credentials</h2>
<p>In this section, we show you how to use the managed data identifier <span>STRIPE_CREDENTIALS</span> to detect Stripe API secret keys. We recommend that you carry out these tutorial steps in an AWS account dedicated to experimentation and exploration before you move forward with detection in a production environment.</p>
<h3>Prerequisites</h3>
<p>To follow along with this walkthrough, complete the following prerequisites.</p>
<h3>Create example data</h3>
<p>The first step is to create some example objects in an S3 bucket in the AWS account. The objects contain strings that resemble Stripe secret keys. You will use the example data later to demonstrate how Macie can detect Stripe secret keys.</p>
<h4>To create the example data</h4>
<ol>
<li>Open the S3 console and <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-bucket-overview.html" target="_blank" rel="noopener">create an S3 bucket</a>.</li>
<li>Create four files locally, paste the following mock sensitive data into those files, and upload them to the bucket.
<div class="hide-language">
<pre class="unlimited-height-code"><code class="lang-text">file1
stripe publishable key sk_live_cpegcLxKILlrXYNIuqYhGXoy
file2
sk_live_cpegcLxKILlrXYNIuqYhGXoy
sk_live_abcdcLxKILlrXYNIuqYhGXoy
sk_live_efghcLxKILlrXYNIuqYhGXoy
stripe payment sk_live_ijklcLxKILlrXYNIuqYhGXoy
file3
sk_live_cpegcLxKILlrXYNIuqYhGXoy
stripe api key sk_live_abcdcLxKILlrXYNIuqYhGXoy
file4
stripe secret key sk_live_cpegcLxKILlrXYNIuqYhGXoy
<blockquote>
<strong>Note:</strong> The keys mentioned in the preceding files are mock data and aren’t related to actual live Stripe keys.</p>
</blockquote>
<h3>Create a Macie job with the STRIPE_CREDENTIALS managed data identifier</h3>
<p>Using Macie, you can scan your S3 buckets for sensitive data and security risks. In this step, you run a one-time Macie job to scan an S3 bucket and review the findings.</p>
<h4>To create a Macie job with STRIPE_CREDENTIALS</h4>
<ol>
<li>Open the<a href="https://console.aws.amazon.com/macie/" target="_blank" rel="noopener">Amazon Macie console</a>, and in the left navigation pane, choose <strong>Jobs</strong>. On the top right, choose <strong>Create job</strong>.
<div id="attachment_33426" class="wp-caption aligncenter">
<img aria-describedby="caption-attachment-33426" src="https://infracom.com.sg/wp-content/uploads/2024/02/img1-4.png" alt="Figure 1: Create Macie Job" width="624" height="225" class="size-full wp-image-33426" />
<p id="caption-attachment-33426" class="wp-caption-text">Figure 1: Create Macie Job</p>
</div> </li>
<li>Select the bucket that you want Macie to scan or specify bucket criteria, and then choose <strong>Next</strong>.
<div id="attachment_33427" class="wp-caption aligncenter">
<img aria-describedby="caption-attachment-33427" src="https://infracom.com.sg/wp-content/uploads/2024/02/img2-1.jpg" alt="Figure 2: Select S3 bucket" width="624" class="size-full wp-image-33427" />
<p id="caption-attachment-33427" class="wp-caption-text">Figure 2: Select S3 bucket</p>
</div> </li>
<li>Review the details of the S3 bucket, such as estimated cost, and then choose <strong>Next</strong>.
<div id="attachment_33428" class="wp-caption aligncenter">
<img aria-describedby="caption-attachment-33428" loading="lazy" src="https://infracom.com.sg/wp-content/uploads/2024/02/img3-2.png" alt="Figure 3: Review S3 bucket" width="624" height="247" class="size-full wp-image-33428" />
<p id="caption-attachment-33428" class="wp-caption-text">Figure 3: Review S3 bucket</p>
</div> </li>
<li>On the <strong>Refine the scope</strong> page, choose <strong>One-time job</strong>, and then choose<strong> Next</strong>.<br /><blockquote>
<p><strong>Note</strong>: After you successfully test, you can schedule the job to scan S3 buckets at the frequency that you choose.</p>
</blockquote>
<div id="attachment_33429" class="wp-caption aligncenter">
<img aria-describedby="caption-attachment-33429" loading="lazy" src="https://infracom.com.sg/wp-content/uploads/2024/02/img4-2.png" alt="Figure 4: Select one-time job" width="624" height="225" class="size-full wp-image-33429" />
<p id="caption-attachment-33429" class="wp-caption-text">Figure 4: Select one-time job</p>
</div> </li>
<li>For <strong>Managed data identifier options</strong>, select <strong>Custom</strong> and then select <strong>Use specific managed data identifiers</strong>. For <strong>Select managed data identifiers</strong>, search for <span>STRIPE_CREDENTIALS</span> and then select it. Choose <strong>Next</strong>.
<div id="attachment_33430" class="wp-caption aligncenter">
<img aria-describedby="caption-attachment-33430" loading="lazy" src="https://infracom.com.sg/wp-content/uploads/2024/02/img5-1-1.png" alt="Figure 5: Select managed data identifier" width="624" height="344" class="size-full wp-image-33430" />
<p id="caption-attachment-33430" class="wp-caption-text">Figure 5: Select managed data identifier</p>
</div> </li>
<li>Enter a name and an optional description for the job, and then choose <strong>Next</strong>.
<div id="attachment_33431" class="wp-caption aligncenter">
<img aria-describedby="caption-attachment-33431" loading="lazy" src="https://infracom.com.sg/wp-content/uploads/2024/02/img6-1.png" alt="Figure 6: Enter job name" width="624" height="274" class="size-full wp-image-33431" />
<p id="caption-attachment-33431" class="wp-caption-text">Figure 6: Enter job name</p>
</div> </li>
<li>Review the job details and choose <strong>Submit</strong>. Macie will create and start the job immediately, and the job will run one time.</li>
<li>When the <strong>Status</strong> of the job shows <strong>Complete</strong>, select the job, and from the <strong>Show results</strong> dropdown, select <strong>Show findings</strong>.
<div id="attachment_33432" class="wp-caption aligncenter">
<img aria-describedby="caption-attachment-33432" loading="lazy" src="https://infracom.com.sg/wp-content/uploads/2024/02/img7-1.png" alt="Figure 7: Select the job and then select Show findings" width="624" height="123" class="size-full wp-image-33432" />
<p id="caption-attachment-33432" class="wp-caption-text">Figure 7: Select the job and then select Show findings</p>
</div> </li>
<li>You can now review the findings for sensitive data in your S3 bucket. As shown in Figure 8, Macie detected Stripe keys in each of the four files, and categorized the findings as <strong>High</strong> severity. You can review and manage the findings in the Macie console, retrieve them through the Macie API for further analysis, send them to <a href="https://aws.amazon.com/eventbridge/" target="_blank" rel="noopener">Amazon EventBridge</a> for automated processing, or publish them to <a href="https://aws.amazon.com/security-hub/" target="_blank" rel="noopener">AWS Security Hub</a> for a comprehensive view of your security state.
<div id="attachment_33433" class="wp-caption aligncenter">
<img aria-describedby="caption-attachment-33433" loading="lazy" src="https://infracom.com.sg/wp-content/uploads/2024/02/img8-1.png" alt="Figure 8: Review the findings" width="624" height="176" class="size-full wp-image-33433" />
<p id="caption-attachment-33433" class="wp-caption-text">Figure 8: Review the findings</p>
</div> </li>
</ol>
<h2>Respond to unintended disclosure of Stripe API keys</h2>
<p>If you discover Stripe live-mode keys (or other sensitive data) in an S3 bucket, then through the Stripe dashboard, you<a href="https://stripe.com/docs/keys#rolling-keys" target="_blank" rel="noopener"> can roll your API keys</a> to revoke access to the compromised key and generate a new one. This helps ensure that the key can’t be used to make malicious API requests. Make sure that you install the replacement key into the production services that need it. In the longer term, you can take steps to understand the path by which the key was disclosed and help prevent a recurrence.</p>
<h2>Conclusion</h2>
<p>In this post, you learned about the importance of safeguarding Stripe API keys on AWS. By using Amazon Macie with managed data identifiers, setting up regular reviews and restricted access to S3 buckets, training developers in security best practices, and monitoring logs and repositories, you can help mitigate the risk of key exposure and potential security breaches. By adhering to these practices, you can help ensure a robust security posture for your sensitive data on AWS.</p>
<p>If you have feedback about this post, submit comments in the <strong>Comments </strong>section below. If you have questions about this post, start a new thread on<a href="https://repost.aws/tags/TA_J7v39UoTdiBWCAlEs2svA/" target="_blank" rel="noopener"> Amazon Macie re:Post</a>.
<!-- '"` -->