Production Secret Is Fetched by IDE
Eco-system support
-
AWS Secrets Manager
-
Azure Key Vault
-
GCP Secrets Manager
Description
Retrieving production secrets from IDE exposes a considerable attack surface and poses a significant security threat. This practice may potentially result in a breach, data exposure, and compliance complications.
Detection triggers
- Secret read event, targeting a secret in a production environment, using an IDE tool user-agent, such as “Visual Studio” or “Eclipse”.
Mitigation
Review abnormal activity
The usage of IDE in a production environment is considered an anomaly.
Review this activity by following these steps:
- Review the “activity” tab with the IDE actor filter to check if the activity is re-occurring.
-
Investigate the actor identity responsible for the fetching workload, to understand if it is legitimate and expected.
-
If legitimate, move this risk status to ‘approved’.
-
Otherwise, consider rotating the secret and investigating the actors.
-