Full Report
In 2024, compromised service accounts and forgotten API keys were behind 68% of cloud breaches. Not phishing. Not weak passwords. Unmanaged non-human identities that nobody was watching. For every employee in your org, there are 40 to 50 automated credentials: service accounts, API tokens, AI agent connections, andOAuth grants. When projects end or employees leave, most
Analysis Summary
# Best Practices: Managing Non-Human Identities (NHI)
## Overview
These practices address the security risks associated with Non-Human Identities (NHIs), including service accounts, API tokens, OAuth grants, and AI agent connections. As these credentials now outnumber human users 45:1 and represent the primary vector for cloud breaches (68%), these guidelines focus on visibility, lifecycle management, and secret rotation to prevent unauthorized persistent access.
## Key Recommendations
### Immediate Actions
1. **Inventory Discovery:** Run scripts or use cloud native tools (e.g., AWS IAM Access Analyzer, GCP Recommender) to list all active API keys and service accounts.
2. **Revoke "Zombies":** Immediately disable credentials that have shown zero activity in the last 90 days.
3. **Offboarding Check:** Cross-reference active API keys against the names/IDs of employees who have left the organization in the last 6 months.
4. **Identify Over-Privileged NHIs:** Flag any service account with `Admin` or `Owner` roles that only performs a single specific task.
### Short-term Improvements (1-3 months)
1. **Enforce Secret Rotation:** Implement a 30, 60, or 90-day mandatory rotation policy for all programmatic keys.
2. **Move to IAM Roles/Workload Identity:** Transition away from long-lived static "Access Key Pairs" to short-lived token-based authentication (e.g., AWS IAM Roles for EC2, GitHub Actions OIDC).
3. **Implement Secrets Management:** Migrate hardcoded strings from codebases and config files into a dedicated vault (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault).
### Long-term Strategy (3+ months)
1. **NHI Lifecycle Automation:** Automate the "Joiners, Movers, Leavers" process for non-human identities so they are provisioned and deprovisioned as part of the CI/CD pipeline.
2. **Behavioral Monitoring:** Establish a baseline for NHI activity; trigger alerts for "impossible travel" (API used from two different regions) or unusual data volume spikes.
3. **Zero Trust for NHIs:** Implement IP whitelisting for API keys so they can only be used from trusted VPCs or corporate IP ranges.
## Implementation Guidance
### For Small Organizations
- **Focus on Visibility:** Use basic secret scanning in GitHub/GitLab to ensure no keys are committed to repos.
- **Manual Audit:** Perform a monthly manual review of administrative service accounts.
### For Medium Organizations
- **Centralize Management:** Use a single cloud-native Secret Manager to store all keys.
- **Standardize Scopes:** Move away from "Full Access" OAuth grants to "Read Only" or resource-specific scopes.
### For Large Enterprises
- **NHI Governance Platform:** Deploy a specialized Non-Human Identity Management (NHIM) tool to track the 40:1 ratio across multi-cloud environments.
- **Automated Remediation:** Script the automatic disabling of any key that is leaked in a public repository.
## Configuration Examples
**Bad Practice (Static Key):**
`export AWS_ACCESS_KEY_ID=AKIA...` (Stored in .env file)
**Good Practice (Temporary Credentials via OIDC):**
yaml
# Example: GitHub Actions assuming an AWS Role without a secret key
permissions:
id-token: write
contents: read
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: arn:aws:iam::1234567890:role/my-github-role
aws-region: us-east-1
## Compliance Alignment
- **NIST SP 800-207 (Zero Trust):** Emphasizes that "Identities" include non-human entities.
- **CIS Controls (Control 6):** Specifically addresses the management and protection of secrets and certificates.
- **ISO 27001 (A.9.2.2):** Mandates the management of "User" access rights, which extends to programmatic users.
## Common Pitfalls to Avoid
- **The "Shadow" Account:** Creating a service account under a personal developer's email rather than a functional group email.
- **Hardcoding in Secrets:** Storing an API key inside a script that is then uploaded to a "private" repo (which can still be compromised).
- **Over-Scoping:** Granting `Cloud-Platform-Admin` to a service account that only needs to upload files to a single S3 bucket.
## Resources
- **OWASP Secrets Management Free Guide:** hxxps[://]cheatsheetseries[.]owasp[.]org/cheatsheets/Secrets_Management_Cheat_Sheet[.]html
- **GitLeaks (Secret Scanning Tool):** hxxps[://]github[.]com/gitleaks/gitleaks
- **Cybersecurity & Infrastructure Security Agency (CISA) Identity Management:** hxxps[://]www[.]cisa[.]gov/topics/identity-management