Detecting Credential Misuse Across NHI Roles, HashiCorp Vault, and AWS IAM

This video demonstrates how to detect secret misuse, specifically focusing on a secret being used across multiple applications or by multiple identities, including non-human identities (NHIs) or AI agents.

The video first highlights an alert for secret misuse within the offline UI. A user clicks on the alert to investigate an issue involving an NHI—specifically, the "reporting app role" in AWS. By looking at the assets authenticated timeline, a user can see how this NHI is using secrets and accessing different assets in the environment.

The user walks through the process the NHI takes, which includes:

• An instance service account (a service instance type in AWS) performing a role impersonation to the "reporting app role," which is normal and allowed by AWS IAM.

• The system tracking the original account through the role impersonation.

• The "reporting app role" then authenticating to HashiCorp Vault.

• Retrieving a secret named "prod reporting credentials," which is allowed by both HashiCorp Vault and AWS IAM.

The misuse is then identified. The "prod reporting credentials" secret is used on both the "prod reporting" and "dev reporting" systems. Since this credential is named after the production system, it should only work there. This indicates the credential is either too loosely scoped, allowing it to work on both systems, or was specifically set up to work on the development system for some reason.