We release patches for security vulnerabilities. Which versions are eligible for receiving such patches depends on the CVSS v3.0 Rating:
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our vulnerability reporting page or directly via email to [email protected]. Please do not create a public GitHub issue.
If you package or distribute this software, or use this software in your applications, and you discover a potential security issue, please use the same process above.
When using this library:
-
Credential Management: Never hardcode AWS credentials in your code. Use IAM roles, environment variables, or AWS credential files.
-
Token Handling:
- Bearer tokens are valid for 12 hours by default
- Do not log or store bearer tokens
- Transmit tokens only over HTTPS
-
Network Security: Always use HTTPS when making API calls with bearer tokens.
-
Access Control: Follow the principle of least privilege when configuring IAM permissions.
This library implements several security measures:
- Stateless Design: No credential storage or caching
- SigV4 Signing: Uses AWS Signature Version 4 for secure request signing
- Time-Limited Tokens: Generated tokens have a limited validity period
- No Sensitive Data Logging: The library does not log credentials or tokens
This library has minimal dependencies to reduce the attack surface:
boto3andbotocorefor AWS SDK functionality
We regularly monitor our dependencies for security vulnerabilities and update them as needed.