Compromised secrets, such as leaked API and SSH keys, credentials, and session tokens, are a leading cause of cloud security breaches. Attackers can gain access either by exploiting stolen secrets through phishing or by taking advantage of misconfigurations in your cloud environment. Long-lived credentials, like AWS IAM user access keys, GCP service account keys, and Entra ID application keys, are among the most common culprits behind data breaches in the cloud.
To mitigate these risks, it’s essential to implement processes that avoid storing secrets altogether. Strategies like enforcing auto-expiration policies and using centralized identity management systems can help manage authentication and authorization workflows efficiently, without relying on secrets for individual accounts and applications.
Even with these preventive measures, it’s crucial to maintain visibility into your existing secrets to replace them with more secure options and avoid costly security issues. In this post, we’ll explore a few examples of how to enhance secrets management by effectively tracking the lifecycle of your credentials, keys, and other sensitive data. Key steps include monitoring when secrets need to be revoked or have expired, and detecting anomalies in their usage.
Track When Secrets Need to Be Revoked
Cloud environments and their authentication and authorization requirements are constantly evolving. Organizations frequently create new cloud accounts for employees, dynamically spin up workloads to process traffic, and provision new virtual machines or storage to meet increasing demand. Each new user, service, or workload will require access to associated resources.
Given this constant flux, it’s vital to identify and remove compromised or obsolete secrets to restrict access to sensitive data. Searching for individual secrets manually can be inefficient, but there are several areas to monitor:
- Misconfigurations: Code, services, and resource misconfigurations can easily be overlooked in complex environments, especially with frequent deployments. Hardcoding secrets or passing them as environment variables, although a well-known anti-pattern, still occurs often and needs to be addressed immediately if detected.Tools like Datadog’s Sensitive Data Scanner can flag exposed secrets, allowing you to fix vulnerabilities without manually scouring your environment.
- IAM and Account Configurations: Monitoring your Identity and Access Management (IAM) configurations is crucial for maintaining overall security. Visual reports can quickly highlight problematic keys, such as root account access keys, which are long-lived credentials. An attacker gaining control of a root access key could have unrestricted access to all resources, escalating the risk of a breach.Datadog’s AWS compliance reports can help identify vulnerabilities, such as compromised access keys linked to root accounts.
- Detecting Compromised Secrets: Misconfigured secrets, such as a compromised AWS IAM access key, need to be flagged and removed immediately. Monitoring unusual behaviors—like enumerating Amazon SNS across multiple regions with a long-term access key—can help surface compromised or misused secrets.Look for anomalies like:
- Excessive secret retrieval from AWS Secrets Manager
- Unfamiliar IAM users accessing AWS Secrets Manager
- Abnormal enumeration of AWS Secrets Manager
Know When Secrets Have Expired (or Should Expire)
Enforcing auto-expiration policies is one of the best ways to reduce exposure risks. To implement this effectively, it’s important to track when secrets are set to expire and ensure they have appropriate expiration policies. For instance, IAM user passwords should expire after 90 days, and other credentials should be deactivated or removed if not used for 45 days.
For platforms like Azure Key Vault, which mandates expiration dates for keys, it’s essential to monitor and phase out expired secrets regularly. This can be achieved by replacing IAM users with identity provider platforms and ensuring all secrets are rotated or removed as part of your workflow.
Track Anomalies in Secrets or Secrets Policy Activity
Even as you phase out compromised or unnecessary secrets, it can be challenging to monitor every change in a dynamic cloud environment. Instead of tracking individual changes, it’s more effective to monitor for unusual activities that could indicate a security risk.
For example, understanding which AWS API calls return secrets allows you to create the appropriate access policies and monitor for unnecessary changes. By focusing on anomalies, you can avoid wasting time on false positives. A change in an IAM policy might not be suspicious on its own, but if a user who typically doesn’t alter policies begins to make other changes, that could signal malicious activity.
Some specific activities to watch for:
- Creation of an AWS access key by an unknown identity
- Deletion or scheduled deletion of an AWS KMS key
- Creation of a Google Cloud Service Account key
- Modifications to SSH keys in Google Compute Engine metadata by unfamiliar users
Phasing Out Vulnerable Secrets with Datadog
Stale secrets, such as cloud credentials, access keys, and session tokens, can provide attackers with unrestricted access if not managed properly. While temporary credentials help minimize this risk, tracking existing secrets is equally important to mitigate potential issues.
Datadog gives you the visibility needed to phase out vulnerable secrets gradually. For example, Datadog’s Cloud SIEM provides built-in detection rules that help monitor patterns in cloud activity and audit logs, providing deeper insight into why certain actions were taken. Additionally, Datadog Cloud Security Management will notify you of misconfigurations or secrets lacking expiration policies. Datadog’s Sensitive Data Scanner can detect hardcoded secrets in application code, logs, or telemetry, ensuring they are flagged and removed promptly.
For more information on Datadog’s security capabilities and how to protect your cloud environment, explore our documentation or sign up for a free 14-day trial.
Author : Datadog