Exposed Secrets Goldmine
Description
Concentrating multiple exposed secrets in the same location presents a high-value target for potential attackers. This poor secret storage practice significantly expands the attack surface, creating a ‘goldmine’ of sensitive information in the event of a breach. Such aggregation heightens the risk of widespread unauthorized access, data leakage, and compliance failures. Proper secret management practices are essential to mitigate this exposure, including segregating secrets, enforcing access controls, and reducing the clustering of sensitive data in vulnerable areas.

Detection triggers
When detecting over 5 exposed secrets in the same location, and the exposed secrets are not invalid, revoked or disabled.
Mitigation
Notify the secret owners about the exposure they created and request any possible justification.
Take the following steps to guarantee your organization\'s security:
-
Eliminate exposure points where feasible to minimize the potential attack surface.
-
If the exposure was unintentional, it is strongly advised to revoke the secret and generate a new one
JSON Example
Risk JSON
account: {environment: "qa", environmentType: "QA"}
accountId: "116849364939"
accountType: "AWS"
category: "EXPOSED_SECRET"
correlationGuid: "NTR-163367"
creationDate: "2024-09-10T16:13:45.512Z"
customData: null
customerId: 34
data: {owner: {uid: "081f5868-630b-4b5a-b0c2-93382dda853c",…},…}
description: "This indicate a bad practice of secret storing misuse, with significant attack surface in case of a breach."
destination: "GITHUB_API_TOKEN"
guid: "RSK-8438"
hasComment: null
hasJiraTicket: null
hasSeen: false
hasSlackMessage: null
id: 37225
isArchived: false
key: "https://us-east-1.console.aws.amazon.com/lambda/home?#/functions/test_goldmine_0309?tab=configure"
linkedElements: ["EXP-46168", "EXP-46166", "EXP-48606", "EXP-46167", "EXP-46165", "EXP-48605", "EXP-46171"]
logChangeType: null
modifyDate: "2024-09-03T08:53:46.000Z"
name: "Exposed secrets “gold-mine” found in Aws lambda"
occurrences: ["AWS_LAMBDA"]
owner: "Nick Cave"
ownerAiObject: {similarity: 1, ownerItemType: "fullname", elementItemType: "username",…}
ownerUid: "04f3c267-696f-46eb-855a-311758477d1d"
path: "many_secrets_0309"
ruleCode: "GOLD_MINE"
scanId: 3128040
severity: "CRITICAL"
source: "AWS_LAMBDA"
status: "OPEN"
tags: ["Exposed"]
tasks: [{customerId: 34, riskId: 37225, type: "PAT_REVOKE", level: "MEDIUM",…}]
type: "EXPOSED_GOLD_MINE"
Linked Element (Exposed Secret) JSON, example of one of the exposures
account: {environment: "qa", environmentType: "QA", accountType: "AWS", id: "116849364939"}
accountId: "116849364939"
accountType: "AWS"
correlationGuid: "NTR-162608"
customerId: 34
detectionTime: "2024-11-03T11:16:05.444Z"
exposedLocationType: "AWS_LAMBDA"
exposureOnExternalChat: false
exposureOnPublicGitRepo: null
exposurePath: "many_secrets_0309"
exposureUrl: "https://us-east-1.console.aws.amazon.com/lambda/home?#/functions/many_secrets_0309?tab=configure"
guid: "EXP-46168"
isAdmin: false
isArchived: false
isHidden: false
isNhi: null
keyFindingsJson: {region: "us-east-1", runtime: "nodejs20.x",…}
keyId: "arn:aws:lambda:us-east-1:116849364939:function:many_secrets_0309_GH_PAT"
keyType: "ENVIRONMENT_VARIABLE"
lastModified: "2024-09-03T08:53:46.000Z"
liminalCreationDate: "2024-09-10T12:22:32.236Z"
liminalModifyDate: "2024-11-03T13:16:09.347Z"
linkedElements: []
location: "us-east-1"
ocr: null
origin: "GITHUB_API_TOKEN"
owner: "nick.cave@entro.security"
ownerAiObject: {similarity: 1, ownerItemType: "secondaryEmail", elementItemType: "username",…}
ownerUid: "081f5868-630b-4b5a-b0c2-93382dda853c"
scanId: 3162198
secretSnippet: "github_pat"
severity: "CRITICAL"
status: "INVALID"
tags: {tags: ["qa"]}
uid: "0a7c01ce-910d-4cbb-8fab-3c605bf6c0d5"
vendorHash: "/vcefUxcL1ztGdTpC2DEOffAxKr6hliKHKcLPo865rG="