Skip to content

External Accounts Can Read Your Secrets

Description

External entities who have obtained access to your organization's secrets could potentially gain access to your data. Therefore, it is crucial to exercise caution and consider the risks involved before allowing external access to your organization's secrets.

Risk triggers

  • GCP:

    • Permissions over the following services:

      • GCP Secret Manager

      • GCP Kubernetes Engine

      • GCP KMS (Key Management)

    • The entity will be qualified as external if it’s a Google group, or a service account not a part of an organization onboarded to the SailPoint Entro platform.

  • Azure:

    • App registration with permissions over the following services:

      • Azure storage keys

      • Azure key vault

      • Azure storage blob

      • Azure DevOps tokens

      • Azure Teams tokens

    • The app registration will be qualified as “External” if the parent tenant is not onboarded to the SailPoint Entro platform.

  • AWS:

    • Role with permissions to read secrets from one of these AWS services:

      • Secrets manager

      • KMS

      • ACM

      • SSM

      • EKS

      • Kubernetes secrets

    • Role with external assume role permissions trust to an AWS account that isn’t onboarded to SailPoint Entro’s platform

Mitigation

Eliminate external attack surface.

Allowing external accounts to read your secrets is considered a bad practice. To revisit external trust permissions, follow the mitigation steps in the platform.

JSON Example

Risk JSON

account: {environment: "dev", environmentType: "DEV"}
accountId: "120768082511"
accountType: "AWS"
category: "LEAST_PRIVILEGE"
correlationGuid: null
creationDate: "2024-09-08T15:00:49.780Z"
customData: [{label: "Role name", value: "security-role-test"},…]
customerId: 34
data: {risk: {roleArn: "arn:aws:iam::120768082511:role/security-role-test",…},…}
description: "Entro has identified a role that can be assumed by an external AWS account, granting read access to your secrets, increasing the risk of a security breach because your enterprise's attack surface expands.\n      External entities who have obtained access to your organization's secrets could potentially gain access to your data. Therefore, it is crucial to exercise caution and consider the risks involved before allowing external AWS access to your organization's secrets."
destination: "AWS_ROLE"
guid: "RSK-8345"
hasComment: null
hasJiraTicket: null
hasSeen: false
hasSlackMessage: null
id: 36301
isArchived: false
key: "foreign-acl-risk-qa.entro.security-arn:aws:iam::120768082511:role/security-role-test-120768082511"
linkedElements: ["TKN-1349"]
logChangeType: null
modifyDate: "2024-10-22T15:03:48.413Z"
name: "External AWS accounts can read your secrets"
occurrences: []
owner: "security-role-test"
ownerAiObject: null
ownerUid: null
path: null
ruleCode: "FOREIGN_ACL_ROLE"
scanId: 2603568
severity: "MEDIUM"
source: "AWS"
status: "OPEN"
tags: ["External Access", "ACL", "dev"]
tasks: [{customerId: 34, riskId: 36301, type: "ELIMINATE_EXTERNAL_TRUST", level: "MEDIUM",…}]
type: "USER_PRIVILEGES"

Linked Element (NHI Token) JSON

accessedDate: "2024-09-30T13:32:36.000Z"
account: {environment: "dev", environmentType: "DEV", accountType: "AWS", id: "120768082511"}
accountId: "120768082511"
accountType: "AWS"
awsPolicies: {policies: [], userUsage: null, tokenUsage: null, policiesUsage: {}, userExcessiveUsage: null,…}
azurePermissions: null
azureRoles: null
correlationGuid: null
creationDate: "2024-09-08T10:03:22.000Z"
creator: {eventId: "619c34b4-6ad2-4385-b907-a4336c1cdc77", username: "luis@entro.security",…}
customerId: 34
devices: null
guid: "TKN-1349"
infoJSON: "{\"trustedRelationships\":{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::120768082511:root\"},\"Action\":\"sts:AssumeRole\"}]},\"userArn\":\"arn:aws:iam::120768082511:role/security-role-test\",\"roleUrl\":\"https://us-east-1.console.aws.amazon.com/iamv2/home?region=us-east-2#/roles/details/security-role-test?section=permissions\"}"
isActive: false
isAdmin: false
isArchived: false
isIdle: false
isProd: false
lastAccessors: []
lastModifiers: [{eventId: "64d179c3-4dd7-4a49-8d0d-702a5b4125f0", username: "luis@entro.security",…},…]
lastOwnerAiUpdate: null
liminalCreationDate: "2024-10-30T09:26:19.960Z"
liminalModifyDate: "2024-10-30T09:26:19.960Z"
originAccessMethod: "AWS_ROLE"
owner: "luis@entro.security"
ownerAiObject: {similarity: 1, ownerItemType: "secondaryEmail", elementItemType: "username",…}
ownerSource: "CREATOR_USERNAME"
ownerUid: "d62ded04-48ee-413d-bca3-743f54437363"
riskSeverity: "MEDIUM"
rotationDate: "2024-09-08T10:03:22.000Z"
scanId: 2993551
serviceName: "iam"
status: "Active"
tags: {tags: []}
tokenId: "AROARYHSWWJHRDAAPYTFD"
tokenTotalAccess: 0
tokenTotalIp: 0
tokenTotalUserAgent: 0
uid: "3295ee1a-2cef-43bf-a77f-8ad6d58f6619"
userAgent: null
username: "security-role-test"