Skip to main content

Common Misconfiguration

Organizations using multiple cloud providers often expose credentials for all platforms in a single configuration file or codebase.

Vulnerable Example

# VULNERABLE - config.yaml with all cloud credentials
clouds:
  aws:
    access_key_id: "AKIAIOSFODNN7EXAMPLE"
    secret_access_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
    region: "us-east-1"

  azure:
    tenant_id: "72f988bf-86f1-41af-91ab-2d7cd011eb47"
    client_id: "ad7e1c3a-c8ae-4bc5-b461-f495c6c5b1a2"
    client_secret: "8Q~.vR3fakeSecretHereXAMPLE"
    subscription_id: "12345678-1234-1234-1234-123456789012"

  gcp:
    project_id: "my-project-123456"
    service_account_key: |
      {
        "type": "service_account",
        "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIE..."
      }

  digitalocean:
    access_token: "dop_v1_1234567890abcdef1234567890abcdef1234567890abcdef1234567890ab"

  alibaba:
    access_key_id: "LTAI4GKgob8jZ3Fake"
    access_key_secret: "4eRd5tYuO9PfakeSecret123"
    region: "cn-hangzhou"

# VULNERABLE - Multi-cloud class with hardcoded credentials
class MultiCloudManager:
    def __init__(self):
        # Never hardcode credentials!
        self.clouds = {
            'aws': {
                'access_key': 'AKIAIOSFODNN7EXAMPLE',
                'secret_key': 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY'
            },
            'azure': {
                'tenant': '72f988bf-86f1-41af-91ab-2d7cd011eb47',
                'client_id': 'ad7e1c3a-c8ae-4bc5-b461-f495c6c5b1a2',
                'client_secret': '8Q~.vR3fakeSecretHere'
            },
            'gcp': {
                'api_key': 'AIzaSyDaGmWKa4JsXZ-HjGw7ISLn_3namBGewQe'
            },
            'oracle': {
                'user_ocid': 'ocid1.user.oc1..aaaaaaaa',
                'fingerprint': 'aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99',
                'key_file': '/path/to/api_key.pem'
            }
        }

Secure Example

# SECURE - Multi-cloud credential management with vault
import os
import hvac
from azure.identity import DefaultAzureCredential
from google.auth import default as gcp_default
import boto3

class SecureMultiCloudManager:
    def __init__(self, vault_url=None):
        self.vault_client = None
        self.credentials = {}
        self.initialize_vault(vault_url)

    def initialize_vault(self, vault_url):
        """Initialize HashiCorp Vault for credential management"""
        vault_url = vault_url or os.environ.get('VAULT_ADDR')
        vault_token = os.environ.get('VAULT_TOKEN')

        if vault_url and vault_token:
            self.vault_client = hvac.Client(
                url=vault_url,
                token=vault_token
            )
            if not self.vault_client.is_authenticated():
                raise Exception("Vault authentication failed")

    def get_aws_credentials(self):
        """Get AWS credentials using IAM roles or Vault"""
        if self.vault_client:
            # Get dynamic AWS credentials from Vault
            response = self.vault_client.read('aws/creds/my-role')
            return {
                'access_key': response['data']['access_key'],
                'secret_key': response['data']['secret_key'],
                'session_token': response['data']['security_token']
            }
        else:
            # Use IAM role
            session = boto3.Session()
            credentials = session.get_credentials()
            return {
                'access_key': credentials.access_key,
                'secret_key': credentials.secret_key,
                'session_token': credentials.token
            }

    def get_azure_client(self):
        """Get Azure credentials using managed identity"""
        # DefaultAzureCredential tries in order:
        # 1. Environment variables
        # 2. Managed Identity
        # 3. Azure CLI
        # 4. Interactive browser
        credential = DefaultAzureCredential(
            exclude_interactive_browser_credential=True,
            exclude_visual_studio_code_credential=True
        )
        return credential

    def get_gcp_credentials(self):
        """Get GCP credentials using ADC"""
        credentials, project = gcp_default()
        return credentials, project

    def get_cloud_credential(self, provider):
        """Unified interface for getting cloud credentials"""
        providers = {
            'aws': self.get_aws_credentials,
            'azure': self.get_azure_client,
            'gcp': self.get_gcp_credentials
        }

        if provider not in providers:
            raise ValueError(f"Unsupported cloud provider: {provider}")

        return providers[provider]()

# SECURE - Multi-cloud infrastructure as code (Terraform)
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 3.0"
    }
    google = {
      source  = "hashicorp/google"
      version = "~> 5.0"
    }
    vault = {
      source  = "hashicorp/vault"
      version = "~> 3.0"
    }
  }
}

# Configure providers using environment variables
provider "aws" {
  # Uses AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, or IAM role
}

provider "azurerm" {
  features {}
  # Uses Azure CLI, Managed Identity, or Service Principal from env
}

provider "google" {
  # Uses GOOGLE_APPLICATION_CREDENTIALS or ADC
}

# Vault for secret management
resource "vault_auth_backend" "aws" {
  type = "aws"
}

resource "vault_aws_secret_backend" "aws" {
  access_key = var.aws_access_key # From secure variable
  secret_key = var.aws_secret_key # From secure variable

  default_lease_ttl_seconds = 3600
  max_lease_ttl_seconds     = 86400
}

resource "vault_aws_secret_backend_role" "role" {
  backend         = vault_aws_secret_backend.aws.path
  name            = "my-role"
  credential_type = "assumed_role"
  role_arns       = ["arn:aws:iam::ACCOUNT:role/MyRole"]
}

# SECURE - Kubernetes multi-cloud setup (External Secrets)
apiVersion: v1
kind: ConfigMap
metadata:
  name: cloud-config
data:
  AWS_REGION: us-east-1
  AZURE_TENANT_ID: ${AZURE_TENANT_ID}
  GCP_PROJECT_ID: my-project
---
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: multi-cloud-store
spec:
  provider:
    vault:
      server: "[https://vault.example.com:8200](https://vault.example.com:8200)"
      path: "secret"
      version: "v2"
      auth:
        kubernetes:
          mountPath: "kubernetes"
          role: "app-role"
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: cloud-credentials
spec:
  secretStoreRef:
    name: multi-cloud-store
    kind: SecretStore
  target:
    name: cloud-credentials
  data:
  - secretKey: aws-access-key
    remoteRef:
      key: aws/creds/my-role
      property: access_key
  - secretKey: azure-client-secret
    remoteRef:
      key: azure/creds
      property: client_secret

Detection Patterns

  • AWS Access Key ID: `(AKIA|ASIA)[0-9A-Z]{16}`
  • AWS Secret Access Key: `[A-Za-z0-9/+=]{40}`
  • Azure Client Secret: `[A-Za-z0-9~._-]{30,}`
  • GCP API Key: `AIza[0-9A-Za-z\\-_]{35}`
  • GCP Service Account: `"private_key":\s*"-----BEGIN (RSA|EC) PRIVATE KEY-----"`
  • DigitalOcean Token: `dop_v1_[a-f0-9]{64}`
  • Alibaba Access Key ID: `LTAI[a-zA-Z0-9]{15,}`
  • OCI API Key Fingerprint: `([0-9a-f]{2}:){15}[0-9a-f]{2}`

Prevention Best Practices

  1. Use Native Identity: Use cloud-native identity services (AWS IAM, Azure Managed Identity, GCP ADC/Workload Identity) whenever possible.
  2. Centralize Secrets: Implement a centralized secret management system (like HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, or GCP Secret Manager).
  3. Federate Identity: Use identity federation (like OIDC) to grant external systems access without static keys.
  4. Least Privilege: Enforce least-privilege principles across all cloud environments.
  5. Per-Environment Credentials: Use completely separate credentials and roles for development, staging, and production.
  6. Enable MFA: Enforce Multi-Factor Authentication (MFA) for all human cloud accounts.
  7. Use CSPM: Implement a Cloud Security Posture Management (CSPM) tool to continuously monitor for misconfigurations.
  8. Regular Audits: Conduct regular multi-cloud security audits to find and remediate exposed credentials.