Full Report
Datadog advises Australian and APAC companies to phase out long-lived cloud credentials.
Analysis Summary
# Best Practices: Eliminating Long-Lived Cloud Credentials
## Overview
These practices focus on mitigating the severe data breach risk posed by long-lived cloud credentials (such as static access keys for IAM users, service accounts, and applications) across hyperscale cloud environments (AWS, GCP, Azure). The primary goal is to transition all access mechanisms to use short-lived, temporary credentials managed via centralized, modern authentication methods.
## Key Recommendations
### Immediate Actions
1. **Identify and Inventory Legacy Credentials:** Immediately audit all cloud environments (AWS, GCP, Azure) to inventory all existing long-lived access keys, static secrets, and IAM users assigned to human roles.
2. **Enforce IMDSv2 on AWS (Where Applicable):** Immediately enforce Instance Metadata Service Version 2 (IMDSv2) on all new and existing AWS EC2 instances to block common credential theft methods.
3. **Isolate/Disable Oldest Keys:** Identify all access keys older than one year (e.g., targeting the 60% of AWS IAM users and 62% of GCP service accounts with keys over a year old) and disable or rotate them immediately.
### Short-term Improvements (1-3 months)
1. **Migrate Human Access to Federated SSO:** Prioritize migrating all human access away from individual cloud IAM users toward centralized identity management solutions (e.g., AWS IAM Identity Center, Okta, Microsoft Entra ID). Aim to eliminate the use of individual cloud users for employees.
2. **Implement Secret Scanning in CI/CD:** Deploy and enforce static code analysis and secret scanning tools in all development pipelines (CI/CD) to prevent new long-lived credentials from being committed to source code or container images.
3. **Implement Workload Identity:** Begin the transition for non-human entities (workloads) from using embedded access keys to utilizing native cloud identity features for temporary credentials (e.g., IAM Roles for EC2/EKS Pod Identity in AWS, Managed Identities in Azure, Service Accounts attached to workloads in GCP).
### Long-term Strategy (3+ months)
1. **Complete Transition to Temporary Credentials:** Establish a policy framework mandating the use of time-bound, temporary credentials for all system-to-system and human-to-system interactions.
2. **Refine Access Policies:** Review and reduce overly permissive access assigned to newly adopted temporary roles and identities, ensuring the principle of least privilege is strictly adhered to alongside credential lifespan reduction.
3. **Establish Key Rotation Automation:** Implement automated processes to regularly rotate any remaining credentials that cannot immediately be converted to session-based access, although the long-term goal should be elimination.
## Implementation Guidance
### For Small Organizations
* **Focus on Centralization First:** Select and implement one centralized identity management solution (e.g., using AWS IAM Identity Center if primarily in AWS) and aggressively enroll all human users.
* **Utilize Managed Identities:** Leverage default managed identity services provided by the cloud platform (e.g., Azure Managed Identities) immediately for any new cloud workloads to avoid distributing static keys.
* **Prioritize MFA Everywhere:** Ensure Multi-Factor Authentication (MFA) is mandated for all human accounts integrated through the SSO solution.
### For Medium Organizations
* **Phased Migration Workflow:** Create a formal migration plan to transition development and production workflows from IAM users/hardcoded keys to federated access and workload roles/identities.
* **Dedicated Tooling:** Invest in mature tooling like static code analysis across all repositories to police secrets exposure actively.
* **Secure Workload Transformation:** Dedicate engineering sprints to refactoring applications that currently rely on long-lived keys to accept short-lived tokens obtained via service roles.
### For Large Enterprises
* **Cross-Cloud Standardization:** If multi-cloud, select a primary Identity Provider (IdP) solution that can seamlessly integrate and federate access across AWS, Azure, and GCP tenants.
* **Decommissioning Policy:** Establish a formal governance policy with automated discovery and decommissioning timelines for any credentials/users found outside the new centralized system.
* **Developer Friction Mitigation:** Actively use IdP features designed to streamline workflows (like seamless token exchange) to minimize developer friction during the transition to SSO and reduce organizational resistance.
## Configuration Examples
| Cloud Provider | Human Access Best Practice | Workload Access Best Practice |
| :--- | :--- | :--- |
| **AWS** | Centralized management via **IAM Identity Center** (for SSO/federation) | Utilize **IAM Roles for EC2 Instances** or **EKS Pod Identity** |
| **Microsoft Azure** | Integrate all users with **Microsoft Entra ID** for SSO (avoiding individual Azure AD users) | Implement **Managed Identities** applied to VMs, App Services, and Functions |
| **Google Cloud (GCP)** | Leverage workload identity federation to connect to external enterprise IdPs | Use **Service Accounts attached to workloads** that assume temporary roles |
## Compliance Alignment
* **NIST CSF:** Identify (ID.AM), Protect (PR.AC), Detect (DE.AE) – Focus on strong identity and access management controls.
* **ISO 27001/27002:** A8.2 (Management of privileged access rights), A9.2 (Account management) – Directly addresses secure credential lifecycle management.
* **CIS Benchmarks (Cloud Specific):** Aligns with controls mandating the elimination of static credentials in favor of role-based, temporary access.
## Common Pitfalls to Avoid
* **Treating Long-Lived Credentials as Manageable:** Do not attempt to audit and rigorously secure static keys; the recommended path is **elimination and replacement** with ephemeral credentials.
* **Underestimating Migration Effort:** The shift requires a significant mindset change from developers accustomed to static keys; allocate sufficient resources for training and workflow adaptation.
* **Incomplete Coverage:** Assuming that centralizing human identity (SSO) automatically solves workload identity issues; these require separate, specific technical implementations (roles/managed identities).
## Resources
* AWS Documentation on IAM Identity Center transition and IMDSv2 enforcement.
* Datadog State of Cloud Security 2024 Report (for context on prevalence).
* Documentation for leading Identity Providers (e.g., Okta, Microsoft Entra ID) regarding enterprise federation setup.