Skip to content

Production Secret Is Fetched by a Script

Eco-system support

  • AWS Secrets Manager

  • Azure Key Vault

  • GCP Secrets Manager

Description

Retrieving production secrets from CLI exposes a considerable attack surface and poses a significant security threat. This practice may potentially result in a breach, data exposure, and compliance complications.

Detection triggers

  • Secret read event, targeting a secret in a production environment, using a CLI tool user-agent, such as “AWS-CLI” or “AWS Powershell”.

Mitigation

Review abnormal activity

  1. The usage of CLI in a production environment is considered an anomaly.

Review this activity by following these steps:

  1. Review the “activity” tab with the CLI actor filter to check if the activity is re-occurring.
  2. Investigate the actor identity responsible for the fetching workload, to understand if it is legitimate and expected.

    • If legitimate, move this risk status to ‘approved’.

    • Otherwise, consider rotating the secret and investigating the actors.