Production Token Is Used by IDE Client
Description
Developers debugging the production environment from their IDE exposes a considerable attack surface and poses a significant security threat. This practice may potentially result in a breach, data exposure, and compliance complications.

Detection triggers
- Token usage event from a client user-agent that is linked to an IDE client, such as "Visual Studio" or "Eclipse".
Mitigation
Review abnormal activity
The usage of IDE in a production environment is considered a bad practice.
Review this activity by following these steps:
-
Review the "activity" tab to check its activity for the following behavior.
-
Is his new activity aligned with his previous one, or is it used to perform new actions.
-
Is the workload IP and client identical to its previous usage.
JSON Example
Risk JSON
account: {environment: "qa", environmentType: "QA"}
accountId: "116849364939"
accountType: "AWS"
category: "ABNORMAL_BEHAVIOR"
correlationGuid: "NTR-127166"
creationDate: "2024-08-03T00:45:13.661Z"
customData: null
customerId: 34
data: {token: {uid: "247591c1-1ded-45e1-9c6a-f1044e15c0c4", guid: "TKN-754", tags: {tags: []},…},…}
description: "Developers debugging production environment from their IDE exposes a considerable attack surface and poses a significant security threat. This practice may potentially result in a breach, data exposure, and compliance complications."
destination: "AWS_IAM_ACCESS_KEY"
guid: "RSK-6170"
hasComment: null
hasJiraTicket: null
hasSeen: false
hasSlackMessage: null
id: 19013
isArchived: false
key: "PROD_TOKEN_IDE-TKN-754"
linkedElements: ["TKN-754"]
logChangeType: null
modifyDate: "2024-08-03T18:45:13.747Z"
name: "Production token is used by IDE client"
occurrences: ["AWS_IAM_ACCESS_KEY"]
owner: "omerb"
ownerAiObject: {similarity: 0.975, ownerItemType: "email", elementItemType: "username",…}
ownerUid: "467e25ce-e0b8-4edf-bdc8-ec80a8448c1a"
path: "AKIARWNGDZ7F24LOLP1A"
ruleCode: "PROD_TOKEN_IDE"
scanId: 856541
severity: "HIGH"
source: "AWS"
status: "OPEN"
tags: ["SOC2", "Insider Threat", "test"]
tasks: [{customerId: 34, riskId: 19013, type: "REVIEW_ACTIVITY", level: "HARD",…}]
type: "BLAST"
Linked Element (NHI Token) JSON
accessedDate: "2024-06-20T08:45:00.000Z"
account: {environment: "qa", environmentType: "QA", accountType: "AWS", id: "116849364939"}
accountId: "116849364939"
accountType: "AWS"
awsPolicies: {policies: [,…], userUsage: {secretsmanager: ["List", "Read"]},…}
azurePermissions: null
azureRoles: null
correlationGuid: "NTR-127166"
creationDate: "2024-06-18T10:03:18.000Z"
creator: {eventId: "14bf1c74-c8e5-42a6-a737-55f3a11af52d", username: "omerb",…}
customerId: 34
devices: [{role: "omer.ba", region: "us-east-1", ipAddress: "213.8.185.214",…}]
guid: "TKN-754"
infoJSON: "{\"serviceName\":\"secretsmanager\",\"region\":\"us-east-1\",\"userArn\":\"arn:aws:iam::116849364939:user/omer.ba\"}"
isActive: false
isAdmin: false
isArchived: false
isIdle: true
isProd: false
lastAccessors: []
lastModifiers: []
lastOwnerAiUpdate: null
liminalCreationDate: "2024-06-18T18:40:19.068Z"
liminalModifyDate: "2024-10-29T12:39:14.703Z"
originAccessMethod: "AWS_IAM_ACCESS_KEY"
owner: "omerb"
ownerAiObject: {similarity: 1, ownerItemType: "email", elementItemType: "username", originalOwnerValue: "Yakov Cohen",…}
ownerSource: null
ownerUid: "d96ffcfa-704e-4e4f-a4b6-602d5f8a7c5a"
riskSeverity: "HIGH"
rotationDate: "2024-06-18T10:03:18.000Z"
scanId: 2884527
serviceName: "secretsmanager"
status: "Active"
tags: {tags: []}
tokenId: "AKIARWNGDZ7F24LOLP1A"
tokenTotalAccess: 32
tokenTotalIp: 19
tokenTotalUserAgent: 17
uid: "1871bfd1-8302-4969-a777-519613e403c5"
userAgent: null
username: "omerb"