Api Key Exposure in Chi with Dynamodb

Chi is a lightweight HTTP framework for Clojure that often interacts with backend data stores such as DynamoDB. When API keys are embedded in Chi application code or configuration and those files are committed to version control, the keys can be exposed through source code leaks or build artifacts. Separately, DynamoDB tables that store application data may themselves expose sensitive information if fine-grained access controls are not enforced. The combination of Chi services using DynamoDB creates a scenario where an exposed API key can lead to unauthorized access to DynamoDB resources, and compromised DynamoDB data can aid in further attacks against the Chi application.

Chi applications typically read configuration at runtime; if an API key is stored as an environment variable or loaded from a file that is checked into Git, a repository leak can directly expose the key. Once an attacker has the key, they can attempt to use it against AWS endpoints. If the associated IAM principal has permissions to read or write DynamoDB tables, this may result in data exfiltration, modification, or deletion. DynamoDB resource policies and IAM policies define who can call GetItem, Query, Scan, or PutItem; overly permissive policies increase the impact of a leaked key. Additionally, if the Chi application uses the AWS SDK for JavaScript/Node.js or Java within its request handling pipeline, misconfigured SDK clients can inadvertently make calls with broader permissions than intended.

Another vector involves logging and error messages. Chi applications that log raw requests or responses may inadvertently include DynamoDB keys, table names, or ARNs in logs that are aggregated centrally. Those logs, if improperly protected, become a secondary source of exposure. DynamoDB streams and backups can also retain sensitive data; if access to those streams or backups is not tightly scoped, a key with read access to the table may be used to inspect historical data. The risk is compounded when the same key is used across multiple services or environments, making lateral movement easier for an attacker.

middleBrick can detect API key exposure patterns in endpoints served by Chi and analyze the unauthenticated attack surface of DynamoDB-exposed resources through its Data Exposure and Inventory Management checks. By scanning the public endpoints of a Chi application, the tool can identify whether sensitive strings resembling API keys are present in responses, headers, or error payloads. The scan also helps surface misconfigured CORS rules, unnecessary HTTP methods, and endpoints that return metadata or debugging details, which can indirectly facilitate further reconnaissance against DynamoDB.

Because middleBrick performs black-box scanning without agents or credentials, it can quickly surface whether a Chi endpoint is inadvertently leaking information that could aid an attacker in targeting DynamoDB. The tool runs checks in parallel, including Input Validation, Data Exposure, and Unsafe Consumption, to highlight risky behaviors. Findings include severity ratings and remediation guidance, helping teams understand how to reduce the chance of key exposure through improved configuration and access controls.

Remediation focuses on ensuring API keys are never stored in source code, limiting DynamoDB access to least privilege, and hardening the Chi application’s interaction with AWS. Use AWS Secrets Manager or environment injection at runtime to supply keys, and enforce strict IAM policies that restrict DynamoDB actions to specific tables and operations.

Example: Define a restricted IAM policy for the Chi application’s AWS credentials that allows only GetItem and Query on a specific table, and attach it to a role or user used by the application. Avoid using full dynamodb:* permissions.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:GetItem",
        "dynamodb:Query"
      ],
      "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/ChiAppData"
    }
  ]
}

Example: In Chi, load the key from environment variables securely and pass it to the AWS SDK client without logging it. Avoid writing the key to logs or responses.

(ns chi-app.handler
  (:require [cheshire.core :as json]
            [aws.sdk.dynamodb :as ddb]))

(defn get-item [table key]
  (let [client (ddb/client {:region "us-east-1"
                            ;; key is injected via environment, not hardcoded
                            :access-key-id (System/getenv "AWS_ACCESS_KEY_ID")
                            :secret-access-key (System/getenv "AWS_SECRET_ACCESS_KEY")})
        response (ddb/get-item client {:table-name table
                                       :key key})]
    (json/generate-string response)))

Example: Use DynamoDB resource policies to further restrict access from unexpected sources. This complements IAM by adding a layer of resource-based control.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RestrictSourceIP",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "dynamodb:*",
      "Resource": "*",
      "Condition": {
        "NotIpAddress": {
          "aws:SourceIp": [
            "203.0.113.0/24"
          ]
        }
      }
    }
  ]
}

Additionally, rotate keys regularly, enable DynamoDB encryption at rest, and monitor CloudTrail logs for unusual GetItem or Scan activity. In development, use local DynamoDB instances or mock clients to avoid accidental calls to production tables. middleBrick’s Continuous Monitoring and GitHub Action integrations can help enforce that risk scores do not degrade when changes are pushed, and the MCP Server allows you to scan API configurations directly from your IDE to catch potential exposure early.