DVC Remote Storage Key
Service Name: Data Version Control (DVC)
Service Description: DVC is an open-source version control system for machine learning projects. It helps track data files, model files, and the code that creates them, allowing for reproducible machine learning experiments.
Service Address: https://dvc.org/
Validation Type: API Auth
IP Allow list: Does not exist at the secret level, but can be configured at the remote storage provider level (AWS S3, Google Cloud Storage, etc.)
Secret Access Scope: Grants access to remote storage backends used by DVC for storing large files and datasets that are tracked by DVC but not stored in Git.
Secret Revokement URL: Depends on the remote storage provider (AWS, GCP, Azure, etc.)
Secret Example: dvc+s3://access:ZXhhbXBsZWtleWZvcmR2Y3JlbW90ZXN0b3JhZ2U=@mybucket/path
Suspicious Activity Investigation Instructions:
- Check the DVC remote storage for unauthorized changes to data files or models
- Review access logs from the remote storage provider (S3, GCS, etc.)
- Examine the Git repository for unusual commits or changes to DVC configuration files
- Look for unexpected data pulls or pushes using DVC commands in CI/CD logs
- Monitor for unusual network traffic to your remote storage endpoints
Mitigation Instructions:
- Revoke the compromised key from your remote storage provider (AWS IAM,
GCP IAM, etc.)
- Generate a new access key for your remote storage
- Update the DVC remote configuration with the new credentials: dvc remote
modify myremote --local access_key_id NEW_KEY
- Verify that the old key is no longer valid by attempting to access the remote
storage
- Review and update access policies on your remote storage to enforce least
privilege
- Consider implementing MFA for accessing remote storage where supported
- Update any CI/CD pipelines or automation tools that use the DVC remote
credentials