AWS secrets exposure in LexisNexis: what IAM teams missed

TL;DR: LexisNexis reportedly suffered an AWS breach that began with the React2Shell flaw and expanded because a workload role could read dozens of Secrets Manager entries, exposing credentials tied to internal systems and cloud tools, according to Aembit’s summary of reports. The breach shows that workload identity scope, not just application flaws, can determine blast radius.

NHIMG editorial — based on content published by Aembit covering the LexisNexis AWS breach: analysis of workload identity and secrets exposure

By the numbers:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected.
• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
• Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months.

Questions worth separating out

Q: What breaks when a workload role can read too many secrets?

A: A compromised workload role stops being a single application issue and becomes a reusable access broker.

Q: Why do broad NHI permissions increase breach impact in cloud environments?

A: Broad NHI permissions let one compromised service inherit access to other systems without needing separate compromise steps.

Q: How do security teams know whether secrets access is too broad?

A: A secrets model is too broad when a workload can retrieve credentials outside the service’s direct runtime needs, especially across environments or business functions.

Practitioner guidance

• Scope every workload role to a single function Review ECS task roles, Lambda roles, and similar runtime identities for permissions that extend beyond the service’s core task.
• Segment secrets by workload and environment Split development, analytics, and production secrets into separate access domains so one compromised service cannot retrieve credentials for unrelated systems.
• Replace reusable static secrets with short-lived credentials Use runtime-issued credentials tied to the requesting workload wherever possible, and rotate any remaining long-lived secrets on a schedule that matches operational exposure, not convenience.

What's in the full article

Aembit's full article covers the operational detail this post intentionally leaves for the source:

• The reported AWS permission path that allegedly let the workload read Secrets Manager entries in plaintext.
• The specific credential types named in the exposure claim, including development and analytics systems.
• The application-layer context around React2Shell and how the exploit chain allegedly reached cloud identity scope.
• The incident framing from Aembit’s perspective on secrets footprint reduction and workload identity control.

👉 Read Aembit's analysis of the LexisNexis AWS breach and secrets exposure →

AWS secrets exposure in LexisNexis: what IAM teams missed?

Explore further

View Full Forum →  |  NHI Foundation Course →