Skip to content

DVC Remote Storage Key

Service Name: Data Version Control (DVC)

Service Description: DVC is an open-source version control system for machine learning projects. It helps track data files, model files, and the code that creates them, allowing for reproducible machine learning experiments.

Service Address: https://dvc.org/

Validation Type: API Auth

IP Allow list: Does not exist at the secret level, but can be configured at the remote storage provider level (AWS S3, Google Cloud Storage, etc.)

Secret Access Scope: Grants access to remote storage backends used by DVC for storing large files and datasets that are tracked by DVC but not stored in Git.

Secret Revokement URL: Depends on the remote storage provider (AWS, GCP, Azure, etc.)

Secret Example: dvc+s3://access:ZXhhbXBsZWtleWZvcmR2Y3JlbW90ZXN0b3JhZ2U=@mybucket/path

Suspicious Activity Investigation Instructions:

  • Check the DVC remote storage for unauthorized changes to data files or models
  • Review access logs from the remote storage provider (S3, GCS, etc.)
  • Examine the Git repository for unusual commits or changes to DVC configuration files
  • Look for unexpected data pulls or pushes using DVC commands in CI/CD logs
  • Monitor for unusual network traffic to your remote storage endpoints

Mitigation Instructions:

  • Revoke the compromised key from your remote storage provider (AWS IAM,

GCP IAM, etc.)

  • Generate a new access key for your remote storage
  • Update the DVC remote configuration with the new credentials: dvc remote

modify myremote --local access_key_id NEW_KEY

  • Verify that the old key is no longer valid by attempting to access the remote

storage

  • Review and update access policies on your remote storage to enforce least

privilege

  • Consider implementing MFA for accessing remote storage where supported
  • Update any CI/CD pipelines or automation tools that use the DVC remote

credentials