Secrets scanning for Cloud deployments

Over the past year, our CNAPP solution has gone through progressive enhancements, particularly around secret management. It all began with the ability to identify various secret types across (VMs). Subsequently, we expanded our focus to include a wide range of metadata associated with these secrets, providing valuable context. 

Today, we are excited to unveil a new capability in Public Preview: Secrets scanning for cloud deployments! Covering Azure and AWS during Public Preview, this capability marks an important step in our commitment to providing a holistic secret management solution across various resource types and different stages of software development lifecycle (SDLC).  

What is a Cloud deployment? 

Cloud deployments refer to the process of deploying and managing resources on cloud providers like AWS and Azure using tools such as AWS CloudFormation stack and Azure Resource Manager templates. This approach streamlines infrastructure management and enhances scalability and consistency in cloud environments. 
In one sentence – a cloud deployment is an instance of IaC template. 

Each cloud provider exposes an API to query for historical deployments.  
When querying AWS or Azure APIs for cloud deployment resources, you can typically retrieve the deployment metadata. Such as the deployed template, deployment parameters, deployment output and tags. 

Why Are Secrets in Deployment Resources Critical? 

Our statistical research found that more than 10% of cloud accounts contains one or more cloud deployment with plain text secret that can lead to critical asset, such as a database, , GitHub repositories and Azure Open services. 

While traditional secrets scanning solutions often detect misplaced secrets in code repositories, IaC templates, pipelines or files within VMs and containers, deployment resources tend to be overlooked. These lingering secrets create a blind spot, allowing attackers to exploit an otherwise hidden within cloud environments. Our new capability adds an extra layer of security, addressing scenarios such as: 

  • Securing the bridge between the left  to the right : 
  • for capabilities are adept at identifying exposed secrets within source control management platforms. However, manually triggered cloud deployments from a developer's workstation can lead to exposed secrets that traditional secrets scanning solutions may overlook. Moreover, certain secrets may only surface during deployment runtime, like those revealed in deployment outputs or resolved from Azure KeyVault. 
  • Preventing lateral movement: 
    Discovery of exposed secrets within deployment resources poses a significant risk of unauthorized access. Threat actors can exploit these vulnerabilities to traverse laterally within the environment, ultimately compromising critical services. Defender for Cloud attack path analysis will automatically discover attack paths involving an Azure deployment which can lead to sensitive data breach.  
  • Discovering resources with exposed secrets: 
    The impact of misconfigured deployment resources can be extensive, leading to the creation of numerous new resources with an expansive . Detecting and securing secrets within these resources control plane data is crucial for preventing potential breaches. Addressing exposed secrets during resource creation can be particularly challenging. Our scanning process is designed to identify and mitigate these vulnerabilities at an early stage. 

In summary, our solution provides extended coverage for securing cloud environments, and prevent lateral movement by discovering and securing exposed secrets in deployment resources, reducing the risk of unauthorized access and breaches. 

How does it work:  

This new capability marks a significant milestone in our journey to enhance security across the entire pipeline, spanning from the software development lifecycle to the runtime of cloud resources.



The new capability is included in Defender CSPM and automatically enabled during onboarding. For existing Defender CSPM customers, no further action is required and the new feature already covers your cloud deployments. 

Relevant recommendations for this capability:  

  1. deployments should have secrets findings resolved. 
  1. AWS CloudFormation stack should have secrets findings resolved 

If you wish to verify or activate Defender CSPM – there are steps available for you to do so.  


This article was originally published by Microsoft's Defender for Cloud Blog. You can find the original article here.