Production Secret Is Fetched by a Script
Eco-system support
-
AWS Secrets Manager
-
Azure Key Vault
-
GCP Secrets Manager
Description
Retrieving production secrets from CLI exposes a considerable attack surface and poses a significant security threat. This practice may potentially result in a breach, data exposure, and compliance complications.
Detection triggers
- Secret read event, targeting a secret in a production environment, using a CLI tool user-agent, such as “AWS-CLI” or “AWS Powershell”.
Mitigation
Review abnormal activity
- The usage of CLI in a production environment is considered an anomaly.
Review this activity by following these steps:
- Review the “activity” tab with the CLI actor filter to check if the activity is re-occurring.
-
Investigate the actor identity responsible for the fetching workload, to understand if it is legitimate and expected.
-
If legitimate, move this risk status to ‘approved’.
-
Otherwise, consider rotating the secret and investigating the actors.
-