From 8bd47a48554f5407654bf92b57e6fc434f04e674 Mon Sep 17 00:00:00 2001
From: Jaeyoung Yun <imjyy2.0@gmail.com>
Date: Fri, 22 May 2026 08:57:28 +0900
Subject: [PATCH] fix(cfaws): create credentials file at 0o600 (was
 umask-default 0o644)

---
 pkg/cfaws/cred_exporter.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/pkg/cfaws/cred_exporter.go b/pkg/cfaws/cred_exporter.go
index 6ebb13a2..945f6c55 100644
--- a/pkg/cfaws/cred_exporter.go
+++ b/pkg/cfaws/cred_exporter.go
@@ -19,7 +19,12 @@ func ExportCredsToProfile(profileName string, creds aws.Credentials) error {
 	// create it if it doesn't exist
 	if _, err := os.Stat(credPath); os.IsNotExist(err) {
 
-		f, err := os.Create(credPath)
+		// CWE-732 hardening: create the AWS credentials file with mode
+		// 0o600 (owner read/write only). os.Create uses umask-default
+		// (0o644 on standard Linux / macOS installs), which leaves the
+		// file world-readable. AWS credentials must be 0o600 minimum —
+		// aws-cli itself creates this file at 0o600.
+		f, err := os.OpenFile(credPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0o600)
 		if err != nil {
 			return err
 		}