DigitalOcean Spaces Keys

Description

General

• Documentation: https://docs.digitalocean.com/reference/api/spaces-api/
• Summary: Digital Ocean is a cloud infrastructure provider. Digital Ocean Spaces is an object storage service among Digital Ocean services. All the features available in the control panel are also available via the API. Authentication is required to interact with the API, it is composed of an access key that is not secret, and a secret key that must remain private.
• IPs allowlist: IP addresses can be added to an allowlist from the Digital Ocean dashboard in the Networking/Firewalls tab.
• Scopes: Spaces access keys can either have FULL_CONTROL or READ access. With full control, one can read, write, or delete data with these keys: leaking these is a serious security incident.

Revoke the secret

Spaces access keys can be revoked from the Digital Ocean Dashboard.

Check for suspicious activity

The Digital Ocean Dashboard provides a list of all actions (login, resource creation and deletion) that happened in the last 12 months. This can be accessed from the My Profile/Security section of the dashboard.

Details for DigitalOcean Spaces Keys

• Family: credentials

• Category: cloud_provider

• Company: DigitalOcean

• High recall: False

• Validity check available: True

• Analyzer available: True

• On-premise instances exist: False

• Only valid secrets raise an alert: False

• Minimum number of matches: 2

• Occurrences found for one million commits: 4.52

• Prefixed: False

• PreValidators:

- type: FilenameBanlistPreValidator
  banlist_extensions:
    - ^lock$
    - ^storyboard(c|er)?~?$
    - ^xib$
  banlist_filenames: []
  check_binaries: false
  include_default_banlist_extensions: false
  ban_markup: false
- type: ContentWhitelistPreValidator
  patterns:
    - digital ?ocean
    - do_space

Examples

- text: |
    client = session.client('s3',
                      region_name='ams3',
                      endpoint_url='https://ams3.digitaloceanspaces.com',
                      aws_access_key_id='CO7HMQ4XDCGED3PTUJOC',
                      aws_secret_access_key='qg23gFx3boMaQfavW/skdnLL+3/L1Yab4KvuJkXZ5lE')
  client_id: 'CO7HMQ4XDCGED3PTUJOC'
  client_secret: 'qg23gFx3boMaQfavW/skdnLL+3/L1Yab4KvuJkXZ5lE'

- text: |
    dos://CO7HMQ4XDCGED3PTUJOC:qg23gFx3boMaQfavW/skdnLL+3/L1Yab4KvuJkXZ5lE@ams3.digitaloceanspaces.com
  client_id: 'CO7HMQ4XDCGED3PTUJOC'
  client_secret: 'qg23gFx3boMaQfavW/skdnLL+3/L1Yab4KvuJkXZ5lE'

Secret Analyzer

Analysis Method

• Provider allows scopes enumeration: False
• Total network call count: 5
• Total call count may vary: True

HTTP Calls

Requests are designed to capture metadata and not to function effectively. No HTTP calls for this analyzer.

Other Calls

Non-HTTP queries or HTTP calls made through a third-party app (e.g., Python package).

boto3.client

boto3.client.list_buckets

boto3.client.list_objects