If you’ve been basking in the comfort of thinking your cloud environment is secure, you might want to take another look—especially if you’re relying on old account credentials to keep the show running. A recent report from Datadog’s State of Cloud Security 2024 has dropped a bombshell: the practice of keeping long-lived credentials active across cloud platforms like AWS, Azure, and Google Cloud is creating gaping vulnerabilities that could put your entire business at risk.
Long-lived credentials may sound like a convenient solution because they eliminate the need for consistent renewal. However, they come with a major caveat—if they’re not actively managed (rotated, updated, or revoked when unused), they can become easy targets for attackers. Worse yet, they’re often scattered across source codes, container images, or logging systems, and once breached, they open the door to sensitive data and core infrastructure.
Imagine leaving the front door of your house wide open while you’re on vacation for years—welcome to the same world of risk long-lived credentials pose to cloud environments.
For example, Amazon Web Services has introduced options such as session-based temporary credentials via AWS Security Token Service (STS), while Google Cloud Workload Identity Federation minimizes the need for long-lived keys altogether. Additionally, using Azure Managed Identities can eliminate permanent keys for Azure services.
These tools have become essential to reducing human error and plugging gaping security holes caused by poor credential hygiene.
Key features of automated credential management include:
Aside from technical innovations, cloud providers are increasingly advocating for Zero Trust Architecture—an environment where trust is never automatically granted, even for authenticated users. Concepts like Just-In-Time access and granular privilege settings are critical steps toward mitigating some of the risks highlighted in the Datadog report. If you’re not incorporating these into your operations, you’re simply living on borrowed time.
Short-lived credentials backed by strong automation policies are the present and future of cloud security management. Organizations must act decisively to shift away from their lax practices—or risk becoming the next cautionary tale in a growing list of devastating cloud security breaches.
So, WindowsForum members, here’s your call to action: when was the last time you reviewed your cloud credentials? Share your thoughts and concerns in the forum—after all, a little paranoia is a good thing when it comes to cybersecurity.
Source: TechRadar AWS, Azure and Google Cloud credentials from old accounts are putting businesses at risk
Let's Talk About Long-Lived Credentials: What are They?
First, the basics: long-lived credentials are permanent access keys or tokens that allow users or systems to interact with cloud resources. Think of them as the skeleton keys to your cloud kingdom. They differ from short-lived credentials, which typically expire after a shorter period and require periodic renewal or reauthentication.Long-lived credentials may sound like a convenient solution because they eliminate the need for consistent renewal. However, they come with a major caveat—if they’re not actively managed (rotated, updated, or revoked when unused), they can become easy targets for attackers. Worse yet, they’re often scattered across source codes, container images, or logging systems, and once breached, they open the door to sensitive data and core infrastructure.
Imagine leaving the front door of your house wide open while you’re on vacation for years—welcome to the same world of risk long-lived credentials pose to cloud environments.
Key Findings From Datadog's Report: Staggering and Alarming Stats
Datadog’s research has exposed some glaring facts that should send shivers through the spine of any IT security team:- 46% of organizations still have unmanaged users with long-lived credentials in their cloud environments.
- For instance, 62% of Google Cloud service accounts, 60% of AWS IAM (Identity and Access Management) users, and 46% of Microsoft Entra ID applications are still clinging to access keys that are more than a year old.
- Over 18% of AWS EC2 instances and 33% of Google Cloud VMs feature sensitive, overly permissive configurations that could allow attackers to steal credentials and execute devastating breaches.
- Alarmingly, 10%+ of third-party integrations across cloud platforms have risky permissions that could enable external vendors to access sensitive data—or worse, take control of an entire cloud account.
Real-Life Scenarios: The Practical Risks of Neglecting Credential Management
Let’s dive into why this is a big deal with some hypothetical, yet entirely plausible, examples:1. Unmanaged AWS IAM Keys: A “Leak” Waiting to Happen
Say you’ve created an AWS IAM user years ago with full S3 bucket access, and no one has bothered to check if its credentials are still in use. These keys could accidentally make their way into a GitHub repository (public or private), embedded inside code that nobody has revisited. If an attacker discovers this, they could extract sensitive data from S3, tamper with production environments, or even spin-up costly resources on your AWS account.2. The “Confused Deputy” Attack
Datadog noted that 2% of third-party roles on AWS don’t enforce the use of External IDs—an additional security feature designed to prevent unauthorized use of trusted roles. An attacker exploiting this gap could trick an external service into performing actions it never intended to, like accessing sensitive files or changing configurations. The result? Chaos.3. Default Over-Permissions: A Hacker’s Paradise
Imagine a Google Cloud VM running critical workloads, configured with permissions that allow any connected service to escalate privileges. Exploiting this could let an attacker steal the credentials tied to the VM—transforming a small hiccup into a sprawling breach that nobody catches until it’s too late.Why Automated Credential Management Is the Hero We All Need
Turns out, the weakest link isn’t the latest zero-day malware—it’s us and our outdated credential practices. The Datadog report stresses the adoption of automated credential management solutions to mitigate this problem. This involves regularly monitoring, rotating, and deprecating credentials without the need for manual intervention, and it’s already gaining traction.For example, Amazon Web Services has introduced options such as session-based temporary credentials via AWS Security Token Service (STS), while Google Cloud Workload Identity Federation minimizes the need for long-lived keys altogether. Additionally, using Azure Managed Identities can eliminate permanent keys for Azure services.
These tools have become essential to reducing human error and plugging gaping security holes caused by poor credential hygiene.
Key features of automated credential management include:
- Periodic Credential Rotation: Replaces old credentials with new ones at regular intervals to prevent misuse of leaked keys.
- Access Policies: Ensures that credentials are issued with strict context-based permissions—no more “God-mode” accounts.
- Credential Monitoring: Actively watches for suspicious use or potential misuse of credentials and can revoke them immediately in case of anomalies.
But Wait, There’s More: Cloud Providers are Trying (But Not Enough)
The cloud platforms aren’t sitting idly by. The report highlighted some positives, such as Amazon bolstering its S3 Public Access Block feature, which now covers 79% of buckets (up from 73% last year). This shows progress, but it’s clear that there’s still room for significant improvement.Aside from technical innovations, cloud providers are increasingly advocating for Zero Trust Architecture—an environment where trust is never automatically granted, even for authenticated users. Concepts like Just-In-Time access and granular privilege settings are critical steps toward mitigating some of the risks highlighted in the Datadog report. If you’re not incorporating these into your operations, you’re simply living on borrowed time.
What Can Businesses Do Immediately?
Securing your cloud environment may seem overwhelming, but here’s a checklist to get you started:- Audit Your Credentials:
- Identify all long-lived credentials in your cloud infrastructure.
- Check for unused keys or those with excessively permissive policies.
- Adopt Automated Tools:
- Enable AWS Secrets Manager or Azure Key Vault to manage sensitive credentials automatically.
- Opt for short-lived tokens via OAuth or API gateways where applicable.
- Practice the Principle of Least Privilege:
- Avoid giving users or services permissions that extend beyond their specific access needs.
- Implement Cloud Guardrails:
- Use built-in tools such as AWS Config Rules or Google Cloud Organization Policies to enforce best practices through automated checks.
- Secure Third-Party Integrations:
- Regularly review third-party roles and permissions to ensure they align with your security requirements.
- Enforce External IDs wherever supported.
Conclusion: Complacency Isn’t a Security Strategy
The message here couldn’t be clearer: long-lived credentials are outdated relics that do more harm than good in modern cloud environments. If you’re still holding on to them like a sentimental keepsake, it’s time to let them go—for your own business’s safety.Short-lived credentials backed by strong automation policies are the present and future of cloud security management. Organizations must act decisively to shift away from their lax practices—or risk becoming the next cautionary tale in a growing list of devastating cloud security breaches.
So, WindowsForum members, here’s your call to action: when was the last time you reviewed your cloud credentials? Share your thoughts and concerns in the forum—after all, a little paranoia is a good thing when it comes to cybersecurity.
Source: TechRadar AWS, Azure and Google Cloud credentials from old accounts are putting businesses at risk