Organizations warned of the dangers of ‘long-lived’ cloud credentials

Cloud security concept image showing a cloud symbol placed on top of a circuit board.
(Image credit: Getty Images)

‘Long-lived’ cloud credentials are still a major risk for organizations across all cloud providers, according to new research from Datadog, and nearly half or organizations are using them.

These cloud credentials never expire and are a major security risk, often leaked in source code, container images, build logs and application artifacts - indeed, they're the most common cause of publicly documented cloud security breaches.

They're widespread across all major clouds, often old and sometimes even unused, with 62% of Google Cloud service accounts, 60% of AWS IAM users, and 46% of Microsoft Entra ID applications having an access key more than a year old.

"The findings from the State of Cloud Security 2024 suggest it is unrealistic to expect that long-lived credentials can be securely managed," said Andrew Krug, head of security advocacy at Datadog.

"In addition to long-lived credentials being a major risk, the report found that most cloud security incidents are caused by compromised credentials."

The good news is that more organizations are now using cloud guardrails as cloud providers start to enable them by default. Nearly eight-in-ten S3 buckets are covered by an account-wide or bucket-specific S3 Public Access Block, up from 73% a year ago.

However, more than 18% of AWS EC2 instances and a third of Google Cloud VMs have sensitive permissions to a project, putting organizations at risk by allowing any attacker compromising the workload to steal associated credentials and access the cloud environment.

Similarly, one-in-ten third-party integrations have risky cloud permissions, the study found, allowing the vendor to access all data in the account or to take over the whole AWS account.

Meanwhile, 2% of third-party integration roles don't enforce the use of External IDs, allowing an attacker to compromise them through a "confused deputy" attack.

"To protect themselves, companies need to secure identities with modern authentication mechanisms, leverage short-lived credentials and actively monitor changes to APIs that attackers commonly use," advised Krug.

In the wake of the study, Datadog said organizations should make use of mechanisms that provide time-bound, temporary credentials. For workloads, this can be managed with IAM roles for EC2 instances or EKS Pod Identity in AWS, Managed Identities in Azure, and service accounts attached to workloads for Google Cloud.

For humans, the most effective solution is to centralize identity management using a solution like AWS IAM Identity Center, Okta, or Microsoft Entra ID, and to avoid the use of individual cloud users for each employee, which can be highly inefficient and risky.

Concerns over risky cloud credentials continue

Stolen and exposed cloud credentials were identified earlier this year as 2024's biggest cloud security risk.

RELATED WHITEPAPER

Managed detection and response company Expel said that identity threats accounted for nearly two-thirds of all incidents investigated by its security operations center, and that cloud infrastructure incidents were up by 72% across the last year.

Notably, stolen or leaked credentials responsible for two-in-five incidents, highlighting the scale of the issue.

More than nine-in-ten of the incidents it detected or responded to occurred in AWS, with just 4% split evenly between GCP and Azure. This was despite the fact that around half the company's cloud customers use AWS, around a third use Azure, and roughly 17% use GCP.

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.