Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Long-lived AWS access keys: what IAM teams need to do now


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9773
Topic starter  

TL;DR: Long-lived AWS access keys without IP restrictions can function as world-readable credentials, letting attackers exfiltrate data or alter monitoring from anywhere, according to Token Security. The real governance problem is not just exposure but the assumption that persistent NHI access remains safe until someone remembers to rotate it.

NHIMG editorial — based on content published by Token Security: IP Hardening in the Real World, a story from the trenches

By the numbers:

Questions worth separating out

Q: What breaks when a long-lived AWS access key has no IP restrictions?

A: A leaked or copied key becomes usable from any network, which removes one of the few practical barriers between exposure and abuse.

Q: Why do standing NHI permissions increase cloud breach impact?

A: Standing permissions expand the amount of data, configuration, and monitoring an identity can affect if it is compromised.

Q: How do security teams know whether IP hardening is actually working for NHIs?

A: Look for two signals: whether high-risk credentials are restricted to approved origins, and whether blocked or suspicious origin attempts are being detected and investigated.

Practitioner guidance

  • Inventory every persistent AWS key with no network boundary Find all NHIs that can authenticate from any origin, then classify them by business function, owner, and effective blast radius.
  • Bind high-risk secrets to trusted network origins Apply IP allowlists, VPC endpoint policies, or equivalent origin controls to NHIs that still need long-lived credentials.
  • Pair posture findings with incident-ready monitoring When an NHI lacks network restrictions, route it into detection coverage that checks for suspicious geolocation, known malicious IP ranges, and abnormal access timing.

What's in the full article

Token Security's full blog covers the operational detail this post intentionally leaves for the source:

  • Terraform-based IP restriction workflow for AWS NHIs
  • Continuous monitoring logic for suspicious origin activity and malicious IP ranges
  • Practical examples of how missing network policy findings are converted into remediation scripts
  • How the team balances immediate hardening with ITDR when ownership or downtime blocks fast change

👉 Read Token Security's analysis of IP hardening for long-lived AWS NHI keys →

Long-lived AWS access keys: what IAM teams need to do now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9257
 

IP hardening is a boundary control for NHI governance, not a substitute for rotation. Long-lived AWS keys can still exist in real environments because operational change is slow, ownership is unclear, or automation depends on them. The article shows that when a key is usable from anywhere, the problem is not only exposure but unrestricted reuse. The practitioner conclusion is that network binding has to be treated as part of the credential’s trust model.

A few things that frame the scale:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared with nearly 1 in 4 for securing human identities.

A question worth separating out:

Q: Who is accountable when an old NHI key is still active after the owner leaves?

A: Accountability sits with the system owner, the IAM team, and the business function that still depends on the credential. If no one can explain why the identity remains active, the governance process has failed, not just the secret. Lifecycle ownership should survive personnel changes, because stale access does not self-retire.

👉 Read our full editorial: IP hardening exposes the real risk of long-lived NHI keys



   
ReplyQuote
Share: