Cloud Security Best Practices: Finding, Securing, & Managing Secrets, Part 1


Secrets — passwords, API keys, secure tokens, private keys, and so on — protect access to sensitive resources in your environment. If not properly managed, they can end up in the wrong hands.

In Part 1 of this post, we will show you how to find secrets using truffleHog and git-secrets. In Part 2, we will explain how to manage them using appropriate software tools in order to quickly and cost-effectively achieve a higher level of security.

How Secrets Leak

Passwords, API keys, and secret tokens must not be left lying around your environment unprotected. Their purpose is to provide controlled access to sensitive resources such as a database that holds customer information, or your billing system, or the provider that you send usage data to for calculating customers’ bills each month. They could even provide controlled access to other systems in your own environment.

Read more at ThreatStack