For example, in Amazon Web Services (AWS) environments, scripts use AWS Access Keys for accessing data, auto-scaling and other functions. With Azure, Azure Application Keys play a similar role, as do API Keys for Google Cloud Platform. These API keys are very powerful, enabling, for example, a script or user to stop or start a virtual server, copy a database or even wipe out entire workloads. With API keys, a script or user can do pretty much anything they want within a given cloud environment. In the wrong hands, they represent a major vulnerability.
API keys essentially represent the “keys to the cloud kingdom,” but despite this far-reaching power, these keys are often relatively unprotected. For example, attackers use phishing to steal API keys by gaining access to unprotected endpoints. Keys are also often embedded within applications, automation scripts and orchestration tools. They are therefore frequently static and unchanged, as they are effectively hard coded and available in any copy of the app code or script. Attackers also steal API keys from public repositories, like GitHub – in this case, from code that is inadvertently dropped into public repositories without removing the API keys. It can be an easy mistake for a developer to make, and attackers use bots to troll these repositories leaving little time for the developer to correct the error.
News reports underscore the dangers unsecured API keys present. Consider the OneLogin breach from May 2017, during which an attacker gained access to a set of API keys and used them to access the AWS API from an intermediate host with another, smaller service provider, creating havoc for the organization.
As a result, because API keys are such powerful credentials and so widely used in cloud workloads, securing them and applying the principle of least privilege is imperative.
Four Steps for Securing API Keys
To help secure the enterprises cloud workloads, enterprises should take the following four steps to prevent attackers from compromising the organizations API keys:
1.Discover and enumerate all keys: It’s essential to pinpoint where API keys and other secrets exist, and discovery tools are available to help scan your cloud environments and locate them. Assessing and prioritizing the API key and infrastructure vulnerabilities then enables the collection of reliable and comprehensive audit information.
2.Remove embedded API keys: API keys must also be removed from scripts, applications and automation tools. Similarly, it’s advisable to prevent human users from directly accessing the API keys.
3.Secure API keys: Proactively protect API keys by storing them in a secure, centralized vault that supports strong access controls—allowing only authorized users and applications to reach them. Additionally, automatically rotate API keys and apply the principles of least privilege (including reducing redundant permissions from the account role that is assigned to the API key).
4.Automate securing credentials: Leverage API Key access to the digital space and use integrations with automation tools and scripts to automate and ensure the secure use of the API keys. To ensure that only the correct application have access to the API keys use machine IDs and application authentication.
While moving workloads to the cloud can bring significant business benefits, it can also expand the attack surface by allowing unprotected API keys and other secrets and credentials to become damaging security vulnerabilities. In the hands of an external attacker or malicious insider, API keys could allow attackers to take full control of an organization’s cloud infrastructure, disable security controls, steal confidential information and disrupt operations.
However, while this post focuses on vulnerabilities that attackers can exploit, organizations that effectively manage their API keys, secrets and other credentials can minimize these vulnerabilities and secure their cloud workloads. In fact, with the right approach the cloud can be more secure than on-premises environments.