Secrets scanning for Cloud deployments

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Community Hub.

Over the past year, our CNAPP solution has gone through progressive enhancements, particularly around secret management. It all began with the ability to identify various secret types across virtual machines (VMs). Subsequently, we expanded our focus to include a wide range of metadata associated with these secrets, providing valuable context. 

Today, we are excited to unveil a new capability in Public Preview: Secrets scanning for cloud deployments! Covering Azure and AWS during Public Preview, this capability marks an important step in our commitment to providing a holistic secret management solution across various resource types and different stages of software development lifecycle (SDLC).  


What is a Cloud deployment? 

Cloud deployments refer to the process of deploying and managing resources on cloud providers like AWS and Azure using tools such as AWS CloudFormation stack and Azure Resource Manager templates. This approach streamlines infrastructure management and enhances scalability and consistency in cloud environments. 
In one sentence – a cloud deployment is an instance of IaC template. 

Each cloud provider exposes an API to query for historical deployments.  
When querying AWS or Azure APIs for cloud deployment resources, you can typically retrieve the deployment metadata. Such as the deployed template, deployment parameters, deployment output and tags. 


Why Are Secrets in Deployment Resources Critical? 

Our statistical research found that more than 10% of cloud accounts contains one or more cloud deployment with plain text secret that can lead to critical asset, such as a database, blob storage, GitHub repositories and Azure Open AI services. 

While traditional secrets scanning solutions often detect misplaced secrets in code repositories, IaC templates, DevOps pipelines or files within VMs and containers, deployment resources tend to be overlooked. These lingering secrets create a blind spot, allowing attackers to exploit an otherwise hidden attack surface within cloud environments. Our new capability adds an extra layer of security, addressing scenarios such as: 


  • Securing the bridge between the left  to the right : 
  • Defender for DevOps capabilities are adept at identifying exposed secrets within source control management platforms. However, manually triggered cloud deployments from a developer’s workstation can lead to exposed secrets that traditional secrets scanning solutions may overlook. Moreover, certain secrets may only surface during deployment runtime, like those revealed in deployment outputs or resolved from Azure KeyVault. 
  • Preventing lateral movement: 
    Discovery of exposed secrets within deployment resources poses a significant risk of unauthorized access. Threat actors can exploit these vulnerabilities to traverse laterally within the environment, ultimately compromising critical services. Defender for Cloud attack path analysis will automatically discover attack paths involving an Azure deployment which can lead to sensitive data breach.  


  • Discovering resources with exposed secrets: 
    The impact of misconfigured deployment resources can be extensive, leading to the creation of numerous new resources with an expansive attack surface. Detecting and securing secrets within these resources control plane data is crucial for preventing potential breaches. Addressing exposed secrets during resource creation can be particularly challenging. Our scanning process is designed to identify and mitigate these vulnerabilities at an early stage. 

In summary, our solution provides extended coverage for securing cloud environments, and prevent lateral movement by discovering and securing exposed secrets in deployment resources, reducing the risk of unauthorized access and breaches. 


How does it work:  

The scanning of deployment resources operates entirely without agents, relying solely on the control plane’s API. This capability allows for a comprehensive & continuous scan of all organizational deployment resources, ensuring they are safeguarded against secret exposures. 


This new capability marks a significant milestone in our journey to enhance security across the entire pipeline, spanning from the software development lifecycle to the runtime of cloud resources.






The new capability is included in Defender CSPM and automatically enabled during onboarding. For existing Defender CSPM customers, no further action is required and the new feature already covers your cloud deployments. 

Relevant recommendations for this capability:  

  1. Azure Resource manager deployments should have secrets findings resolved. 
  1. AWS CloudFormation stack should have secrets findings resolved 


If you wish to verify or activate Defender CSPM - there are steps available for you to do so.  

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.