Cloud monitoring and security platform Datadog has released its State of Cloud Security 2024 report revealing that long-lived credentials continue to be a major risk for organisations across all cloud providers.
Long-lived cloud credentials never expire and frequently get leaked in source code, container images, build logs and application artifacts, making them a major security risk. Research has shown that they are the most common cause of publicly documented cloud security breaches. While the risks are well documented, Datadog’s report found that almost half (46%) of organisations are still using unmanaged users with long-lived credentials.
According to the report, not only are long-lived credentials widespread across all major clouds, they are also often old and even unused. 62% of Google Cloud service accounts, 60% of AWS IAM users and 46% of Microsoft Entra ID applications have an access key older than one year.
“The findings from the State of Cloud Security 2024 suggest it is unrealistic to expect that long-lived credentials can be securely managed,” said Datadog Head of Security Advocacy Andrew Krug. “In addition to long-lived credentials being a major risk, the report found that most cloud security incidents are caused by compromised credentials. To protect themselves, companies need to secure identities with modern authentication mechanisms, leverage short-lived credentials and actively monitor changes to APIs that attackers commonly use.”
Other key findings from the report include:
-
Adoption of cloud guardrails is on the rise. 79% of S3 buckets are covered by an account-wide or bucket-specific S3 Public Access Block, up from 73% a year ago—thanks to cloud providers starting to enable guardrails by default;
-
More than 18% of AWS EC2 instances and 33% of Google Cloud VMs have sensitive permissions to a project. This puts organisations at risk, as any attacker compromising the workload can steal associated credentials and access the cloud environment;
-
Ten percent of third-party integrations have risky cloud permissions, allowing the vendor to access all data in the account or to take over the whole AWS account. Two percent of third-party integration roles don’t enforce the use of External IDs, which allows an attacker to compromise them through a confused deputy attack.
For the report, Datadog analysed security posture data from a sample of thousands of organisations using AWS, Azure or Google Cloud.
You can read the full report here.
