Stale Secrets
Idle secret, Idle token
Eco-system support
-
AWS Secrets Manager
-
Azure Key Vault
-
GCP Secrets Manager
-
GitHub Action Secrets
Description
Idle tokens, also known as dormant or stale tokens, pose a security risk because they may no longer be actively used, but they still grant access to sensitive information and resources. This can be particularly damaging if the tokens have high privileges, as the attacker can use them to make unauthorized changes or exfiltrate data.
Risk triggers
-
Secret or token that wasn’t used for at least 30 days (by default)
-
Idle thresholds can be configured according to the policies of your organization
Mitigation
Disable and delete tokens not in use
Idle tokens aren't used by any workload.
-
Step 1:
- You can safely disable them without impacting the organization.
-
Step 2:
- Contact the token owner and let him know it is no longer needed.