Reducing the Risk of Credential Leakage

Long-term cloud credentials are often scattered throughout source code, on laptops or desktops, on servers, in cloud resources and in other locations. It’s easy to copy them across machines, creating credential sprawl that increases your leakage risk. It’s unnecessary, too, because these types of credentials are only required when non-cloud infrastructure resources need to communicate with cloud resources (for example, when data center servers use an AWS S3 bucket). There is no good reason to have long-term credentials stored anywhere else — employees should use temporary credentials by authenticating with their single sign-on (SSO) service.

And yet, credential leaks remain a top culprit in data breaches. The OWASP Top 10 Web Application Security Risks puts sensitive data exposure (including credentials) third in the overall list of risks.

Use osquery to Audit Credentials

Given the current state of credential sprawl, how can security teams effectively track down and audit the location of long-term credentials across different locations, including source code, binaries and configuration files, such as home directories for native cloud command line tools?

Well-known for its endpoint visibility capabilities, the open source agent osquery can help you detect and identify credentials throughout your environment using Augeas, a configuration editing tool, YARA, a pattern matching tool and information gathered through its built-in tables. Using these tools, you can search for access tokens, API keys, password hashes and even arbitrary personally identifiable information (PII) stored across Linux, macOS and Windows systems in your environment using real-time or scheduled queries.

Finding Long-Term Credentials in Users’ Home Directories

Before you start, you need to know what you’re looking for. You should gather information about the types of secrets you’d need to look for and the types of strings that you need to find. You can use these rules to gather examples of the types of strings to search for. Click on the rule and then look at the string they use. For example, a phone number is found with this string:

strings:

    $1 = /[0-9]{3}-[0-9]{3}-[0-9]{4}/

    $2 = /\([0-9]{3}\) [0-9]{3}-[0-9]{4}/

 

Let’s look at how this will work with Amazon Web Services (AWS) access keys. There are various kinds of AWS access keys, which are 20 characters long and follow an uppercase-alpha-numeric format. The first four characters of the access key indicate the type of key. To create an inventory of long-term access keys, you need to locate AKIA-prefixed keys.

Prefix

Resource type

ABIA

AWS STS service bearer token

ACCA

Context-specific credential

AGPA

Group

AIDA

IAM user

AIPA

Amazon EC2 instance profile

AKIA

Access key

ANPA

Managed policy

ANVA

Version in a managed policy

APKA

Public key

AROA

Role

ASCA

Certificate

ASIA

Temporary (AWS STS) access key IDs use this prefix, but are unique only in combination with the secret access key and the session token.

 

Usually, AWS credentials are stored in users’ home directory .aws/config and .aws/credentials files. Using osquery, it’s simple to identify AWS credentials across your entire fleet of assets using the Augeus table (but avoid gathering secrets using the where clause).

Avatar photo

Seshu Pasam

Seshu Pasam is chief software architect at Uptycs.

seshu-pasam has 1 posts and counting.See all posts by seshu-pasam