Notifications
Clear all
Topic starter
06/06/2026 1:56 am
TL;DR: Exposed AWS configuration files can leak long-lived access keys, enabling privilege escalation, lateral movement, and extortion, as shown in a Unit 42 case where attackers targeted over 110,000 domains and extracted more than 90,000 unique variables. The real issue is not just secret exposure, but unmanaged non-human identity context and standing privilege.
NHIMG editorial — based on content published by Oasis Security: The Risks of Exposed AWS Configuration Files
Questions worth separating out
Q: What breaks when AWS configuration files expose access keys?
A: When AWS configuration files expose access keys, the attacker inherits the workload’s identity and can often authenticate without triggering traditional login controls.
Q: Why do exposed NHI credentials create such a large blast radius?
A: Exposed NHI credentials create a large blast radius because they are usually tied to service permissions, automation paths, and adjacent cloud resources.
Q: What do teams get wrong about secret rotation in cloud environments?
A: Teams often rotate secrets without confirming whether the old credential has actually been invalidated everywhere it was used.
Practitioner guidance
- Inventory configuration files as credential-bearing assets Build an inventory of .env files, deployment manifests, and application configuration stores that can contain AWS access keys, secret pairs, or other secrets.
- Right-size every AWS workload credential Review AWS access keys for the exact IAM actions required by the workload, then remove permissions for role creation, policy attachment, broad bucket enumeration, and other escalation paths.
- Automate secret revocation with usage validation When a secret is exposed, revoke it only after confirming the consuming application has migrated to a replacement credential.
What's in the full article
Oasis Security's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step secret scanning and identity mapping workflow for exposed AWS configuration files
- Safe automated rotation flow that updates environment variables, generates replacement keys, and revokes the old credential
- Detection logic for identifying unauthorized IAM role creation and unexpected privilege escalation
- Preventative guidance on switching AWS environment variables from default KMS to customer-managed keys
👉 Read Oasis Security's analysis of exposed AWS configuration files and NHI risk →
Exposed .env files in AWS environments: what IAM teams need now?
Explore further
06/06/2026 3:18 am
Exposed configuration files are identity containers, not just operational artefacts. Once a .env file carries keys, it becomes a non-human identity surface with its own lifecycle, ownership, and blast radius. The core governance problem is that many teams still classify these files as application plumbing rather than access-bearing assets. Practitioners should treat every config file that can authenticate to AWS as governed identity material.
A few things that frame the scale:
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security, according to the 2026 Infrastructure Identity Survey.
- 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments, according to the 2026 Infrastructure Identity Survey.
A question worth separating out:
Q: Who is accountable when an exposed AWS key is used for extortion?
A: Accountability usually spans application owners, cloud platform teams, and identity governance teams because the failure sits at the intersection of deployment practice and access control. NIST Cybersecurity Framework 2.0 helps structure the response across identify, protect, detect, respond, and recover. The practical question is whether the organisation can prove who owned the secret and how quickly it was revoked.
👉 Read our full editorial: Exposed AWS configuration files expose NHI access and lateral movement
