- Report warns that long-lived credentials remain a significant security risk
- Outdated access keys increase vulnerabilities on cloud platforms
- Automated credential management is critical for cloud security
As cloud computing Adoption continues to increase, with organizations increasingly relying on platforms like Amazon Web Services (AWS), Microsoft blue, and Google However, the shift to the cloud for their infrastructure and services means that their security risks also become more complex.
Recent Datadog State of Cloud Security 2024 The report reveals one particularly worrisome issue – the use of long-lived credentials, which poses significant security threats to all major cloud providers.
Despite advances in cloud security tools and practices, many organizations still use long-lived credentials, which do not automatically expire.
The prevalence of long-lived credit
Long-lived credentials, especially those that are no longer actively managed, can serve as easy targets for attackers. If leaked or compromised, they could provide unauthorized access to sensitive data or systems. The longer these credentials remain without rotation or monitoring, the greater the risk of a security breach.
Datadog’s report shows that nearly half (46%) of organizations still have unmanaged users with long-lived credentials. These credentials are particularly problematic because they are often embedded in various assets such as source code, container images, and build logs. If these credentials are not managed properly, they can be easily leaked or exposed, giving attackers an entry point to access critical systems and data.
Nearly two-thirds, 62% of Google Cloud Services accounts, 60% of AWS Identity and Access Management (IAM) users, and 46% of Microsoft Entra ID applications have access keys that are more than a year old.
In response to these risks, cloud providers are making progress toward improving security. Datadog reports that adoption of Cloud Rails is on the rise. These guardrails are automated rules or configurations designed to enforce security best practices and prevent human error.
For example, 79% of Amazon S3 buckets now have either account-wide or bucket-specific public access blocks enabled, up from 73% last year. However, while these proactive measures are a step in the right direction, long-term reputation remains a major blind spot in cloud security efforts.
Additionally, the report notes that there are a markedly higher number of cloud resources with highly permissive configurations.
Approximately 18% of AWS EC2 instances and 33% of Google Cloud VMs were found to have sensitive permissions that could potentially allow an attacker to compromise the environment. In cases where cloud workloads are breached, these sensitive permissions can be used to steal associated credentials, enabling attackers to access broader cloud environments.
Additionally, there is the risk of third-party integration, which is common in modern cloud environments. More than 10% of third-party integrations examined in the report were found to have risky cloud permissions, potentially allowing the vendor to access sensitive data or take control of an entire AWS account.
Furthermore, 2% of these third-party roles do not enforce the use of external IDs, making them vulnerable to a “confused deputy” attack, a scenario where an attacker misuses their privileges to perform unintended actions. To use cheats a service.
“Conclusion from State of Cloud Security 2024 suggests it is unrealistic to expect that long-lived credentials can be managed securely,” said Andrew Krug, head of security advocacy at Datadog.
“In addition to long-lived credentials being a major risk, the report found that the majority of cloud security incidents are caused by compromised credentials. To keep themselves safe, companies need to secure identities with modern certification mechanisms, taking advantage of ephemeral credentials and actively monitoring changes to the APIs that attackers commonly use,” Krug said.
