Supply Chain Security
AWS
Security
Best Practices
Supply Chain Security

Securing AWS Credentials on Engineer's Machines with macOS Secure Enclave

AC

Andy Caine

September 9, 2025
Securing AWS Credentials on Engineer's Machines with macOS Secure Enclave

Last week, I wrote about the lessons from the Nx package poisoning attack, where malicious package versions were published to npm, silently stealing secrets - including cloud credentials - from any developer unlucky enough to download them. Amongst other things, the attack highlighted a problem in how we store and manage AWS credentials on development machines.

That problem is the fact that the AWS CLI stores your credentials unencrypted on disk. Any process running as your user, such as a malicious npm package install, can access those credentials, steal them, and abuse them.

In last week's post, I wrote about the many ways you can mitigate this threat. For example, using temporary credentials reduces the risk that stolen credentials can be used, and least privilege access can limit the damage that can be done with stolen credentials. But what if we could prevent unauthorised access to the credentials in the first place? That's why we've created awseal

Hardware-Backed Security with awseal

awseal is inspired by Secretive. Secretive generates SSH keys in the Secure Enclave, a dedicated secure subsystem integrated into modern Apple devices. Keys generated in the Secure Enclave cannot be extracted, so they can't be stolen. Secure Enclave keys can also be configured to require biometric authentication before they can be used, meaning that no process can use your keys without your explicit permission. If you use Secretive as your SSH agent, you can be sure that your keys won't be stolen, and they can't be used without your approval.

While you can't store AWS credentials in the Secure Enclave, you can generate elliptic curve key agreement keys for Hybrid Public Key Encryption (HPKE) scheme to encrypt and decrypt AWS credentials. Each time the credentials are decrypted, the Secure Enclave will request biometric authentication, preventing silent theft and reuse of credentials. Here's how it works with awseal:

  • OIDC Credential Bootstrap: AWS Identity Center (formerly AWS SSO) APIs are used to allow the user to authenticate with AWS over SSO.
  • Seamless integration: awseal integrates with the AWS CLI via the credential_process configuration option.
  • Temporary Role Credentials: awseal fetches role credentials as needed using the Identity Center GetRoleCredentials API.
  • Credential Encryption: Cached role and SSO credentials are encrypted using a Secure Enclave key.
  • Biometric Access Control: Every credential access requires Touch ID.

What About Other Tools?

Before building awseal, we looked at a couple of existing tools for securing AWS credentials on macOS:

AWS Vault

AWS Vault stores long-lived IAM user credentials in macOS Keychain and uses them to generate temporary session credentials. While it’s a solid tool, we ruled it out for two reasons:

  1. It depends on long-lived IAM users, which AWS recommends avoiding.
  2. It uses the password-protected Keychain, rather than Secure Enclave keys with biometric protection.

AWS IAM Roles Anywhere Credential Helper

This helper allows workloads outside AWS to assume IAM roles using X.509 certificates. It’s powerful, but it requires standing up and managing a private CA, which adds operational overhead. And while it can integrate with macOS Keychain, it doesn’t use the Secure Enclave or enforce biometric authentication for access.

In both cases, the missing piece for us was hardware-backed protection with biometric enforcement. That’s the gap awseal is designed to fill.

Give It a Try

Hardware-backed security with biometric access control makes it virtually impossible for malware to steal your AWS credentials.

You'll obviously need a Mac with a Secure Enclave (most modern Macs have one) and, preferably, Touch ID for easy unlocking of your credentials. You'll also need to be using Identity Center to manage access to your AWS accounts. We've built on Identity Center to leverage it's support for OIDC authentication from the CLI, and it's support for multi-account access. Using Identity Center is an AWS best-practice, mainly for these reasons.

awseal is built with auditability and security in mind. The entire implementation is a single Swift file, so it's easy to review, and every release is built with SLSA provenance, to you can cryptographically verify the origins of the binaries.

Give it a try and let us know how you get on.

Share this article

LinkedInTwitterEmail

Thanks for reading! 📚

Found this article helpful? We'd love to discuss how we can help secure your cloud infrastructure. Get in touch with our expert team for a personalized consultation.

Cloud Security AssessmentGet in Touch

Want more insights like this?Subscribe to our RSS feed