IBM Cloud Access Key
ID |
ibm_cloud_key |
Severity |
critical |
Vendor |
IBM Cloud |
Family |
Access key |
Description
IBM Cloud uses an Identity and Access Management (IAM) service for keys that can give access to infrastructure API and to resources. With the IAM, users may create an API key to log in as the user identity in the CLI or the REST API.
Security
As an IBM cloud key can give access to infrastructure API and to resources, they should be handled as a master password, which when leaked may allow attackers access to the API and to resources.
As IBM says:
Because users can be members of multiple accounts and have access to many resources across multiple accounts, and the API key is used to identify the user, it can provide the ability to gain access to almost any resource, in any account, that the user has access to.
For this reason, the user API key should be treated similar to a username and password and should never be shared.
Mitigation / Fix
-
Remove the exposed key from the source code or committed configuration file.
-
Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s), using the IBM Cloud console. API Keys are typically deleted for key rotation, but they should be deleted immediately when a leak is detected.
-
Check access logs to ensure that the secret was not used by unintended actors during the compromised period. IBM provides a tool called Activity Insights for detecting unauthorized or suspicious behaviour in IBM Cloud resources or applications.
-
Restrictions on IP addresses for access keys could be set in the IAM settings.