Introduction

The prevalence of unmanaged users with long-lived credentials in cloud services poses significant security risks to organizations, making them vulnerable to data breaches [10]. This issue is exacerbated by outdated and unused credentials, which are often exposed in various digital artifacts, leading to numerous documented cloud security incidents.

Description

Nearly half (46%) of organizations are vulnerable to data breaches due to unmanaged users with long-lived credentials in cloud services, significantly increasing security risks [1] [2] [9] [10]. These persistent credentials [1], defined as access keys older than one year [1], are frequently exposed in source code [5] [6] [7], container images [1] [3] [5] [6] [7] [9], build logs [1] [5] [6] [7] [9], and application artifacts [1] [3] [5] [6] [7] [9], making them a leading cause of documented cloud security incidents [5] [6] [7]. Alarmingly, a substantial number of these credentials are outdated and often unused [5] [6] [7], with 62% of Google Cloud service accounts, 60% of AWS Identity and Access Management (IAM) users [2], and 46% of Microsoft Entra ID applications possessing access keys that are over a year old [2] [4]. Additionally, unused credentials can leak in source code [10], further exacerbating security vulnerabilities.

The findings indicate that 10% of third-party integrations have risky cloud permissions [6], potentially allowing unauthorized access to all account data [6], while 2% of third-party integration roles lack enforcement of External IDs [6], making them susceptible to ‘confused deputy’ attacks [6]. Furthermore, 18% of AWS EC2 instances and 33% of Google Cloud VMs have sensitive permissions [6], heightening the risk of credential theft [6].

To mitigate these risks [1] [6] [9], organizations are encouraged to eliminate long-lived credentials altogether and implement strategies that include securing identities with modern authentication mechanisms and utilizing short-lived, tightly scoped [8], temporary credentials [8]. For instance, HCP TerraForm enhances security by generating dynamic credentials for each plan-apply cycle through HCP Vault Secrets, effectively reducing concerns related to persistent access [8]. Actively monitoring API changes that are frequently exploited by attackers is also essential [1]. Additionally, the adoption of cloud guardrails is on the rise [1], with 79% of S3 buckets now protected by an S3 Public Access Block [1], up from 73% the previous year [1]. These measures are crucial for enhancing overall cloud security and reducing the risk of compromised credentials, which are a primary factor in many cloud security incidents.

Conclusion

The impact of unmanaged and outdated credentials in cloud services is profound, leading to increased vulnerability to data breaches. Mitigating these risks requires a strategic approach, including the elimination of long-lived credentials and the adoption of modern authentication practices. As organizations continue to enhance their cloud security measures, the implementation of dynamic credential generation and the monitoring of API changes will be vital. The growing adoption of cloud guardrails, such as the S3 Public Access Block, demonstrates a positive trend towards improved security practices, which are essential for safeguarding against credential-related incidents in the future.

References

[1] https://insight.scmagazineuk.com/long-lived-cloud-credentials-still-being-used
[2] https://www.infosecurity-magazine.com/news/orgs-long-lived-cloud-credentials/
[3] https://marketwirenews.com/news-releases/datadog-s-state-of-cloud-security-2024-finds-room-fo-5622670567560214.html
[4] https://www.darkreading.com/cloud-security/unmanaged-cloud-credentials-risk-half-orgs
[5] https://finance.yahoo.com/news/datadogs-state-cloud-security-2024-200500270.html
[6] https://www.stocktitan.net/news/DDOG/datadog-s-state-of-cloud-security-2024-finds-room-for-improvement-in-1fm3np6889uw.html
[7] https://www.prnewswire.com/news-releases/datadogs-state-of-cloud-security-2024-finds-room-for-improvement-in-the-use-of-long-lived-credentials-across-all-major-clouds-302282005.html
[8] https://thenewstack.io/hashicorps-radar-scans-repos-commits-and-pulls-for-leaks/
[9] https://markets.ft.com/data/announce/detail?dockey=600-202410211605PRNEWSUSPRX____NY35834-1
[10] https://thenimblenerd.com/article/cloud-credential-chaos-the-unfunny-risk-of-long-lived-access-keys/