(I am not fond on vendor’s blogs as the signal to noise ratio is very low, since they are written to please search engines more than engineers… but Scott Piper gets a pass.)

I found this insightful, access keys are such a liability that is better to tame as early as possible. Fixing the problem a scale is a lot more challenging.

  • 0xCBE@infosec.pubOPM
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    I think access keys are a legacy authentication mechanism from a time where the objective was increasing cloud adoption and public clouds wanted to support customers to transition from on prem to cloud infra.

    But for cloud native environments there are safer ways to authenticate.

    A data point: for GCP now Google also advise new customers to enable from the start the org policy to disable service account key creation.

  • Capt. AIn@infosec.pub
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Getting rid of long living access keys is such a win.

    Adding an SCP to block creation is mentioned last in the blog post, but I’d sat that’s the first thing one should do. That way the problem won’t grow as you remove the existing ones (which might take a lot of time).

    Good blog post indeed! Not exactly ground breaking but considering how common the problem is I don’t blame them for writing it.