Secret Scanning Secrets: Protect Your AWS Keys Now! #shorts

Truffle Hog, intro, Git Guardian, all of these secret scanners, go use them. If you don't have any budget, go use Truffle Hog, download it, run it on your laptop, and see what you find, and you'll be scared if you've never done it before. Um you're going to find AWS secrets, GitHub, SSH keys, everything, all over the place. It's ugly. And the key is that you have to have a policy, and you have to have leadership buy-in to treat these internally leaked secrets as exposed and compromised. Cuz this is going to be the challenging part when you say, "Hey, there's a GitHub access token, but it was leaked in a private Slack channel." We have to

we have to go through all the work to rotate that token. And the engineers and everybody's like, "Man, it wasn't really leaked." No, yes, it was. And if you have all the audit logs, you can go in and just prove like, "Okay, this was leaked on this date. We see zero evidence it was ever abused. Okay, fine, it's not a critical emergency, but it's got to be rotated in the next 2 weeks." Um but if you find evidence it has been abused, you need to rotate it now. And that takes leadership buy-in. So that's where the red team stuff comes in, cuz then if you can get your butt kicked by the red team a couple times,

you can point to that and be like, "Look, see? We need to do this." Um detections, once again, collect all your audit logs. Uh behavior-based alerts, I'll get into that a little later. If you're collecting all your audit logs, um we have detection rules in our in our stack where we say, "If anybody accesses this this path, fire an alert." Because nobody should be accessing it's infosec secrets, you know, and then somebody goes and looks snoops around to see what's in there, boom, fire an alert. And then maybe you put a token in there that's uh an AWS token that has no privileges, but it can, you know, do a get identity or get caller ID. It can do

a who is. Then if somebody uses that token, now you file a critical alert. So things like that are great for detecting like vault secrets, people trying to dig around inside your secret environment. Um and then how do you prevent this from, you know, how do you prevent somebody stealing an AWS secret and burning down your entire data center? Well, don't have one account to rule them all. Uh your accounts should be separated. Your account that does your auto scaling up and down shouldn't also be able to delete all of your backups. Your account that does your backups, maybe it can do backups, but it can't delete the resources. You know, things like that, separate these out, keep them, you know,

keep these identities separate, and don't store all your secrets in one script either. So now I'm going to get into section about generic, like, how do you detect a stolen identity in general?