Old credentials never die they just present a cloud security risk
Long-lived credentials on major cloud platforms continue to be a huge risk for organizations, according to a new report from Datadog.
Long-lived cloud credentials never expire and frequently get leaked in source code, container images, build logs and application artifacts, making them a major security risk. The report finds that 46 percent of organizations are still using unmanaged users with long-lived credentials.
Not only are long-lived credentials widespread across all major clouds, they are also often old and even unused. 62 percent of Google Cloud service accounts, 60 percent of AWS IAM users and 46 percent of Microsoft Entra ID applications have an access key older than one year.
"The findings from the State of Cloud Security 2024 suggest it is unrealistic to expect that long-lived credentials can be securely managed," says Andrew Krug, head of security advocacy at Datadog. "In addition to long-lived credentials being a major risk, the report found that most cloud security incidents are caused by compromised credentials. To protect themselves, companies need to secure identities with modern authentication mechanisms, leverage short-lived credentials and actively monitor changes to APIs that attackers commonly use."
Among other findings, adoption of cloud guardrails is on the rise -- 79 percent of S3 buckets are covered by an account-wide or bucket-specific S3 Public Access Block, up from 73 percent a year ago -- thanks to cloud providers starting to enable guardrails by default.
In addition more than 18 percent of AWS EC2 instances and 33 percent of Google Cloud VMs have sensitive permissions to a project. This puts organizations at risk as any attacker compromising the workload is able to steal associated credentials and access the cloud environment.
There's a problem with third-party permissions too, 10 percent of third-party integrations have risky cloud permissions, allowing the vendor to access all data in the account or to take over the whole AWS account. Two percent percent of third-party integration roles don't enforce the use of External IDs either, which allows an attacker to compromise them through a 'confused deputy' attack.
The full report is available from the Datadog site.
Image credit: sanadesign/depositphotos.com