Automation enables organizations to leverage the dynamic capabilities of the cloud. Today, enterprises are increasingly leveraging automation tools and DevOps initiatives to drive greater business agility, improve efficiency, and optimize business processes. To achieve this agility securely, automation tools pass credentials through APIs to ensure that only authenticated automation tools, applications, etc. can access organizations’ cloud resources, customer data, infrastructure and other applications. Each of the public cloud vendors uses secure credentials, generically referred to as 'API keys' or 'access keys,' which are unique to the organization’s cloud environment and are established during set up of the cloud environment.
For example, in Amazon Web Services (AWS) environments, scripts use AWS Access Keys for accessing data, auto-scaling and other functions. With Azure, Azure Application Keys play a similar role, as do API Keys for Google Cloud Platform. These API keys are very powerful, enabling, for example, a script or user to stop or start a virtual server, copy a database or even wipe out entire workloads. With API keys, a script or user can do pretty much anything they want within a given cloud environment. In the wrong hands, they represent a major vulnerability.
API keys essentially represent the 'keys to the cloud kingdom,' but despite this far-reaching power, these keys are often relatively unprotected. For example, attackers use phishing to steal API keys by gaining access to unprotected endpoints. Keys are also often embedded within applications, automation scripts and orchestration tools. As a consequence, they are all frequently static and unchanged - they are effectively hardcoded and available in any copy of the app code or script. Attackers also steal API keys from public repositories, like GitHub – in this case, from code that is inadvertently dropped into public repositories without removing the API keys. It can be an easy mistake for a developer to make, and attackers use bots to troll these repositories leaving little time for the developer to correct the error.
News reports underscore the dangers unsecured API keys present. Consider the OneLogin breach from May 2017, during which an attacker gained access to a set of API keys and used them to access the AWS API from an intermediate host with another, smaller service provider, creating havoc for the organisation.
As a result, because API keys are such powerful credentials and so widely used in cloud workloads, securing them and applying the principle of least privilege is imperative.
Four Steps for Securing API Keys
To help secure the enterprises' cloud workloads, enterprises should take the following four steps to prevent attackers from compromising the organisations API keys:
- Discover and enumerate all keys: Leverage discovery tools that can scan your cloud environment to pinpoint where API keys and other secrets exist. Assess and prioritize the API key and infrastructure vulnerabilities and collect reliable and comprehensive audit information.
- Remove embedded API keys: Securely remove API keys from scripts, applications and automation tools. Similarly, prevent human users from directly accessing the API keys.
- Secure API keys: Proactively protect API keys by storing them in a secure, centralized vault that supports strong access controls - allowing only authorised users and applications to reach them. Additionally automatically rotate API keys and apply the principles of least privilege (including reducing redundant permissions from the account role that is assigned to the API key).
- Automate securing credentials: Leverage API Key access to the digital vault and use integrations with automation tools and scripts to automate and ensure the secure use of the API keys. To ensure that only the correct application have access to the API keys use machine IDs and application authentication.
While moving workloads to the cloud can bring significant business benefits, it can also expand the attack surface by allowing unprotected API keys and other secrets and credentials to become damaging security vulnerabilities. In the hands of an external attacker or malicious insider, API keys could allow attackers to take full control of an organization’s cloud infrastructure, disable security controls, steal confidential information, and disrupt operations.
However, while this post focuses on vulnerabilities that attackers can exploit, organizations that effectively manage their API keys, secrets and other credentials can minimize these vulnerabilities and secure their cloud workloads. In fact, with the right approach, the cloud can be more secure than on-premises environments.