登录查看更多内容

What are the common pitfalls and risks of exposing or leaking API keys and secrets in distributed services?

由人工智能和领英社区提供技术支持

API keys and secrets are essential for authenticating and authorizing access to distributed services, such as cloud platforms, microservices, or third-party APIs. However, if they are exposed or leaked, they can pose serious security and operational risks for your applications and data. In this article, you will learn about some of the common pitfalls and risks of exposing or leaking API keys and secrets in distributed services, and how to avoid them.

此文章中的业界达人

由社区从 6 条内容中精选。了解更多

1 Insecure storage and transmission

One of the most common pitfalls of exposing or leaking API keys and secrets is storing or transmitting them in insecure ways, such as hard-coding them in source code, configuration files, or environment variables, or sending them over unencrypted channels, such as HTTP or email. This can expose them to unauthorized access, theft, or interception by malicious actors, who can use them to compromise your services, data, or reputation. To prevent this, you should always store and transmit your API keys and secrets in secure and encrypted ways, such as using vaults, secrets managers, or key management services, or using HTTPS or TLS protocols.

添加您的观点

Ananthakrishnan Kasturirangan

Senior Software Engineering Manager at Amazon
举报内容
I agree with the impact of leaking API keys and secrets. But the way to prevent this from happening is through the use of secure storage like vaults, secret managers and using a secure transmission protocol like HTTPS. Just having secure storage or secure transmission is not enough.

已翻译

赞

2 Insufficient rotation and revocation

Another common pitfall of exposing or leaking API keys and secrets is failing to rotate or revoke them regularly or when needed, such as when they are expired, compromised, or no longer used. This can increase the risk of stale or rogue keys and secrets being abused or exploited by attackers, who can gain persistent or unauthorized access to your services or data. To prevent this, you should always rotate or revoke your API keys and secrets periodically or on-demand, using automated or manual processes, and enforce policies and mechanisms to ensure their validity and freshness.

添加您的观点

Ananthakrishnan Kasturirangan

Senior Software Engineering Manager at Amazon
举报内容
Insufficient rotation and revocation can lead to leaking API keys and secrets. Current construct of the paragraph does not convey this meaning.

已翻译

赞

3 Improper scope and granularity

Another common pitfall of exposing or leaking API keys and secrets is granting them too much or too little scope or granularity, such as giving them access to all or none of your services or resources, or using the same or different keys and secrets for different purposes or environments. This can result in either over-privileged or under-privileged keys and secrets, which can compromise your security or functionality, respectively. To prevent this, you should always grant your API keys and secrets the minimum and appropriate scope and granularity, based on the principle of least privilege, and use different keys and secrets for different roles, functions, or stages.

添加您的观点

Krithiga Thangavelu

Engineering Executive @Microsoft, Ex-Amazon passionate about building intuitive customer delighting products
举报内容
Using the principle of least privilege ensures minimal blast radius of leaked keys/secrets. Not sure about what is "too little scope"?

已翻译

赞
Ananthakrishnan Kasturirangan

Senior Software Engineering Manager at Amazon
举报内容
I cannot think of how leaking API keys and secrets can lead to granting too little scope. If this is possible an example would help.

已翻译

赞

4 Lack of monitoring and auditing

Another common pitfall of exposing or leaking API keys and secrets is neglecting to monitor or audit their usage or activity, such as who, what, when, where, why, and how they are used or accessed. This can prevent you from detecting or responding to any anomalies, breaches, or incidents involving your keys and secrets, such as unauthorized or excessive requests, errors, or failures. To prevent this, you should always monitor or audit your API keys and secrets using logs, metrics, alerts, or reports, and implement controls and procedures to ensure their compliance and accountability.

添加您的观点

Ananthakrishnan Kasturirangan

Senior Software Engineering Manager at Amazon
举报内容
Monitoring and auditing is required for detecting and preventing leaks. If there are leaks it does not necessarily mean that there is a lack of monitoring and auditing.

已翻译

赞

5 Poor documentation and communication

Another common pitfall of exposing or leaking API keys and secrets is having poor documentation or communication about them, such as what they are, where they are stored, how they are generated, distributed, or managed, or who is responsible for them. This can lead to confusion, inconsistency, or duplication of your keys and secrets, as well as potential human errors or oversights that can expose or leak them. To prevent this, you should always document or communicate your API keys and secrets using clear and consistent standards, formats, or tools, and share them with the relevant stakeholders, teams, or partners.

添加您的观点

6 Here’s what else to consider

This is a space to share examples, stories, or insights that don’t fit into any of the previous sections. What else would you like to add?

添加您的观点

Krithiga Thangavelu

Engineering Executive @Microsoft, Ex-Amazon passionate about building intuitive customer delighting products
举报内容
The question is incorrectly answered. The question is about the consequences of keys/secrets getting exposed. The answer is a great response for "how to prevent and mitigate the risk of leaked keys/secrets"... or checklist to ensure fast mitigation or reduce the impact or minimize the possibility of such an exploit.

已翻译

赞

Scalability

+ 关注

给文章评分

我们借助人工智能创建了此文章。您认为这篇文章怎么样？

很棒不太好

举报此文章

查看全部

What are the common pitfalls and risks of exposing or leaking API keys and secrets in distributed services?

1

2

3

4

5

6

1 Insecure storage and transmission

2 Insufficient rotation and revocation

3 Improper scope and granularity

4 Lack of monitoring and auditing

5 Poor documentation and communication

6 Here’s what else to consider

Scalability

给文章评分

感谢您的反馈

更多Scalability相关文章

更多相关阅读内容