Cloud services keys should not be visible or hardcoded

Cloud credentials, such as AWS keys, Google Cloud tokens, Oracle Cloud credential files should be kept in a safe place, and more over - not be plainly visible or hardcoded.

Since cloud credentials hold access rights to a multitude of services, data stores, file storage and more, it is a high profile and sought-after piece of sensitive information in hacker communities.

Even if cloud keys are RBAC or minimal-access based, once these are exposed, you still have a tiring job of tracing, locating, rotating and observing the implication of rotating such keys. Keeping them stored safely and securely minimizes your productivity loss.

Problem

Cloud provider keys are hardcoded or exposed in configuration files, infrastructure code, or business services.

Fix

Infrastructure

  1. Use a cloud-native secret store, such as AWS Secrets Manager
  2. Use a dedicated vault product, such as:
    1. CyberArk Vault
    2. Hashicorp Vault

Architecture

  1. Prefer a 12-factor architecture
  2. Use secret-loading libraries like .env for your specific tech stack

See