top of page

Detecting Unauthorized NHI Role Impersonation and Vault Credential Misuse

This video shows how to identify when a user or workload assumes an unauthorized role to retrieve a secret and how AuthMind’s posture and playbook surface this type of access misuse. 


The demonstration focuses on an incident of "unauthorized role impersonation"

The incident involved a human user who first authenticated to the AWS console using Azure AD (or Entra ID). This was considered normal expected behavior. However, the user then performed a role impersonation to the "Salesforce notification role," which is a non-human identity (NHI) account in AWS. AWS IAM allowed this impersonation.


The human user impersonating the NHI role is where the incident was flagged. Human users should not be able to impersonate an NHI role in this environment.

The role impersonation allowed the user to:

  • Authenticate to HashiCorp Vault.

  • Retrieve a secret for the Salesforce API credentials.

  • Use the retrieved secret to access Salesforce.

The video concludes by summarizing that the human user impersonated a non-human user to check out a credential from HashiCorp Vault and then used it to access a resource that the human user did not initially have access to.


bottom of page