AWS, Azure, and Google Cloud credentials from legacy accounts are putting businesses at risk
- The report warns that long-lived credentials continue to pose a significant security risk
- Outdated access keys increase vulnerability on cloud platforms
- Automated credential management is crucial for cloud security
As the adoption of cloud computing continues to increase, organizations are increasingly relying on platforms such as Amazon Web Services (AWS), Microsoft Azure and Google Cloud for their infrastructure and services. However, this means that their security risks also become more complex.
The recent Datadog State of Cloud Security 2024 The report reveals a particularly concerning issue: the use of long-lived credentials, which poses significant security risks across all major cloud providers.
Despite advances in cloud security tools and practices, many organizations still use long-lived credentials that do not expire automatically.
The prevalence of long-lived credentials
Long-lived credentials, especially those that are no longer actively managed, can be easy targets for attackers. If leaked or compromised, they can provide unauthorized access to sensitive data or systems. The longer these credentials remain in place without rotation or monitoring, the greater the risk of a security breach.
Datadog’s report shows that almost half (46%) of organizations still have unmanaged users with long-lived credentials. These credentials are especially problematic because they are often embedded in various assets, such as source code, container images, and build logs. If not properly managed, these credentials can easily be leaked or exposed, providing attackers with an entry point to gain access to critical systems and data.
Nearly two-thirds of 62% of Google Cloud service accounts, 60% of AWS Identity and Access Management (IAM) users, and 46% of Microsoft Entra ID applications have access keys that are more than a year old.
In response to these risks, cloud providers have taken steps toward improving security. Datadog’s report notes that cloud guardrail adoption is increasing. These guardrails are automated rules or configurations designed to enforce security best practices and prevent human error.
For example, 79% of Amazon S3 buckets now have account-wide or bucket-specific public access blocks enabled, up from 73% last year. While these proactive measures are a step in the right direction, long-lived credentials remain a major blind spot in cloud security efforts.
Additionally, the report adds that there are a strikingly large number of cloud resources with overly permissive configurations.
About 18% of AWS EC2 instances and 33% of Google Cloud VMs were found to have sensitive permissions that could potentially allow an attacker to compromise the environment. In cases where a cloud workload is breached, these sensitive permissions can be abused to steal associated credentials, giving attackers access to the broader cloud environment.
There is also the risk of third-party integrations, which is common in modern cloud environments. More than 10% of third-party integrations examined in the report were found to have high-risk cloud permissions, potentially giving the vendor access to sensitive data or taking control of the entire AWS account.
Additionally, 2% of these third-party roles do not enforce the use of external identifiers, making them susceptible to a “confused surrogate” attack, a scenario in which an attacker tricks a service into using its privileges to perform unintended actions.
“The findings of the State of cloud security 2024 suggests that it is unrealistic to expect long-lived credentials to be managed securely,” said Andrew Krug, Head of Security Advocacy at Datadog.
“In addition to identifying long-lived credentials as a major risk, the report shows that most cloud security incidents are caused by compromised credentials. To protect themselves, companies must secure identities with modern authentication mechanisms, leverage ephemeral credentials, and actively monitor changes to APIs that attackers commonly use,” Krug said.