惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
小众软件
小众软件
博客园_首页
博客园 - 聂微东
V
V2EX
WordPress大学
WordPress大学
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
罗磊的独立博客
酷 壳 – CoolShell
酷 壳 – CoolShell
博客园 - 司徒正美
博客园 - 三生石上(FineUI控件)
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
S
SegmentFault 最新的问题
J
Java Code Geeks
Last Week in AI
Last Week in AI
The Cloudflare Blog
月光博客
月光博客
雷峰网
雷峰网
宝玉的分享
宝玉的分享
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Hugging Face - Blog
Hugging Face - Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
有赞技术团队
有赞技术团队
人人都是产品经理
人人都是产品经理
博客园 - Franky
腾讯CDC
Jina AI
Jina AI
博客园 - 叶小钗
大猫的无限游戏
大猫的无限游戏
阮一峰的网络日志
阮一峰的网络日志
量子位
爱范儿
爱范儿
美团技术团队
T
Tailwind CSS Blog
博客园 - 【当耐特】
D
Docker
IT之家
IT之家
V
Visual Studio Blog
P
Proofpoint News Feed
L
LangChain Blog
Engineering at Meta
Engineering at Meta
C
Check Point Blog
G
Google Developers Blog
Google DeepMind News
Google DeepMind News
云风的 BLOG
云风的 BLOG
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Microsoft Azure Blog
Microsoft Azure Blog
B
Blog RSS Feed
Recorded Future
Recorded Future

Datadog | The Monitor blog

Introducing our open source AI-native SAST Instrument and monitor Boomi integration flows with OpenTelemetry and Datadog Not all index scans are equal: How we cut query latency by over 99% Platform engineering metrics: What to measure and what to ignore Integrate Recorded Future threat intelligence with Datadog Cloud SIEM CI/CD security: threat modeling using a MITRE-style threat matrix CI/CD security: How to secure your GitHub ecosystem Ingress NGINX is EOL: A practical guide for migrating to Kubernetes Gateway API Operating agentic AI with Amazon Bedrock AgentCore and Datadog LLM Observability: Lessons from NTT DATA Introducing the Datadog Code Security MCP Capture and analyze custom heatmaps in Session Replay Understand session replays faster with AI summaries and smart chapters Monitor ClickHouse query performance with Datadog Database Monitoring How we designed empathetic alert sounds for on-call engineers Search and act across Datadog to resolve issues faster with Bits Assistant Measure the business impact of every product change with Datadog Experiments Analyzing round trip query latency Configuring JavaScript caches for better performance Introducing Bits AI Dev Agent for Code Security Datadog achieves ISO 42001 certification for responsible AI Monitor Nutanix clusters, hosts, and VMs with Datadog Monitor Juniper Mist in Datadog A new Host Map for modern infrastructure Annotate traces to improve LLM quality with Datadog LLM Observability What’s new in Cloud SIEM: AI-powered investigations, enhanced threat intelligence, and scalable security operations Explore Kubernetes with native OpenTelemetry data Monitor Oracle Fusion Cloud Applications with Datadog Announcing the Datadog Terraform provider v4.0.0 Scaling Kubernetes workloads on custom metrics How to design cloud environments for AI-powered threat analysis Monitor Aruba Central in Datadog How we centralize and remediate risks with Datadog Case Management Accelerate incident response with Datadog and ServiceNow Monitor your application and network load balancer logs Understanding Karpenter architecture for Kubernetes autoscaling Tools for collecting metrics and logs from Karpenter Monitor Karpenter with Datadog What your product data is actually saying Key metrics for monitoring Karpenter Securing Datadog’s platform in the AI age: The role of observability data Four ways engineering teams use the Datadog MCP Server to power AI agents Approaching your observability migration with the right mindset Meet the new Bits AI SRE: Deeper reasoning, twice as fast Key learnings from the 2026 State of DevSecOps study Use plain English to query your multi-cloud infrastructure in Resource Catalog Simplifying troubleshooting across the user journey with Datadog Synthetic Monitoring Protect your OCI resources with Datadog Cloud Security This Month in Datadog - February 2026 Amazon EC2 security: How misconfigured and public AMIs expand your cloud attack surface Enable end-to-end visibility into your Java apps with a single command Measure and improve mobile app startup performance with Datadog RUM Evaluating our AI Guard application to improve quality and control cost Identify untested code across every level of your codebase Make use of guardrail metrics and stop babysitting your releases Monitor Versa Networks SD-WAN performance in Datadog Improve performance and reliability with APM Recommendations Remediate transitive vulnerabilities faster with Datadog Software Composition Analysis Generate audit-ready vulnerability and compliance reports with Datadog Sheets Monitor Fortinet FortiManager performance in Datadog Improve test coverage across codebases with Datadog Code Coverage Move fast, don’t break things: Consistent testing standards at scale Enrich logs with ServiceNow CMDB context before routing to any SIEM or logging tool Monitor Lustre with Datadog Make faster, better product decisions with Datadog Product Analytics Surface and remediate runtime posture issues with Workload Protection Findings Protect agentic AI applications with Datadog AI Guard How to optimize JavaScript code with CSS Trace Google Pub/Sub workloads in Cloud Run with Datadog Detect human names in logs with ML in Sensitive Data Scanner How we cut our NLQ agent debugging time from hours to minutes with LLM Observability Debug PostgreSQL query latency faster with EXPLAIN ANALYZE in Datadog Database Monitoring Datadog acquires Propolis Unify and correlate frontend and backend data with retention filters Scale compliance across global frameworks with Datadog Cloud Security Monitor Arista VeloCloud SD-WAN performance with Datadog Building reliable dashboard agents with Datadog LLM Observability Simplify log collection and aggregation for MSSPs with Datadog Observability Pipelines Mitigation for Node.js denial-of-service vulnerability affecting Datadog APM Automate flaky test fixes with the Bits AI Dev Agent and Test Optimization How we built an AI SRE agent that investigates like a team of engineers Datadog integrations 2025 recap: Observability for AI, security, and hybrid cloud Design effective executive dashboards with Datadog Implement dbt data quality checks with dbt-expectations Bring faster visibility into AWS Lambda functions with remote instrumentation Troubleshoot faster with the GitLab Source Code integration in Datadog How Cambia Health Solutions saved $30,000 monthly with Cloud Cost Management and the Datadog Resource Catalog Normalize any logs for Cloud SIEM with Datadog's OCSF processor Optimizing Datadog at scale: Cost-efficient observability at Zendesk Detect, diagnose, and resolve network issues easily with CNM Network Health Connect engineering errors to user impact in early-stage products Cilium configuration for Kubernetes operations at scale Designing feedback loops for progressive delivery Ship features faster and safer with Datadog Feature Flags Choosing the right OpenTelemetry Collector distribution Route your monitor alerts with Datadog monitor notification rules Automate Cloud SIEM investigations with Bits AI Security Analyst Cloud threat detection: How to identify risky activity across control and data planes Collecting Kafka performance metrics Monitoring Kafka with Datadog Monitoring Kafka performance metrics
Key learnings from the 2024 State of Cloud Security study
2024-10-21 · via Datadog | The Monitor blog
Christophe Tafani-Dereeper

Christophe Tafani-Dereeper

We’ve just released the 2024 State of Cloud Security study, where we analyzed the security posture of thousands of organizations using AWS, Azure, and Google Cloud. In particular, we found that:

  • Long-lived cloud credentials continue to be problematic and expose cloud identities.
  • Adoption of IMDSv2 in AWS is rising, though still insufficient.
  • Use of public access blocks on storage buckets varies across cloud platforms and is more prevalent in AWS than Azure.
  • A number of cloud workloads have non-administrator permissions that still allow them to access sensitive data or escalate their privileges.
  • A number of managed Kubernetes clusters across AWS, Azure, and Google Cloud are directly exposed to the internet and have nodes with risky permissions.
  • Most cloud incidents are caused by compromised cloud credentials.
  • Insecure IAM roles for third-party integrations can leave AWS accounts at risk of exposure.

In this post, we provide key recommendations based on these findings, and we explain how you can use Datadog Cloud Security to improve your security posture.

Minimize the use of long-lived cloud credentials

Credentials are considered long-lived if they are static (i.e., never change) and also never expire. These types of credentials are responsible for a number of documented cloud data breaches, and organizations should avoid using them.

In AWS, this means you should avoid using IAM users. Using IAM users to authenticate humans is both cumbersome and risky, especially in multi-account environments. AWS IAM Identity Center (formerly AWS SSO) and IAM role federation provide a more secure and convenient way of managing and provisioning human identities, while supporting common command-line applications such as the AWS CLI or Terraform.

AWS workloads—such as EC2 instances—should not use IAM users either. Depending on the compute service in use, AWS provides mechanisms to leverage short-lived credentials by design, so applications can transparently retrieve short-lived credentials without additional effort when using the AWS SDKs or CLI. These mechanisms include:

You can also use a service control policy (SCP) to proactively block the creation of IAM users at the account or organization level.

In Google Cloud, humans should leverage their own identity—typically from Google Workspace—and should not authenticate to the Google Cloud APIs using service account keys.

Google Cloud Workloads should not use service account keys, as they don’t expire and can easily become exposed. Instead, you can attach service accounts to workload resources, such as virtual machines or cloud functions. For the common case of workloads running in a Google Kubernetes Engine (GKE) cluster, you can leverage Workload Identity to transparently pass short-lived credentials for a specific service account to your applications. Google Cloud also provides several organization policy constraints that you can enable at the project, folder, or organization level to disable service account or service account key creation.

In Azure, users accessing resources should authenticate using their Entra ID identity. They should not use long-lived credentials of Entra ID applications. Similarly, Azure workloads such as virtual machines should not embed static credentials of an Entra ID application. Instead, you can leverage Managed Identities to transparently and dynamically retrieve short-lived credentials bound to a specific app registration. Services running in Azure Kubernetes Service (AKS) can use Entra Workload ID.

Using Datadog Cloud Security to identify long-lived cloud credentials

You can use the Inventory in Datadog Cloud Security to identify IAM users and Google Cloud service accounts or service account keys across all your cloud environments.

You can use the Cloud Security Inventory to identify long-lived cloud accounts, as well as their associated misconfigurations and related threats.
Cloud Security Inventory in Datadog
You can use the Cloud Security Inventory to identify long-lived cloud accounts, as well as their associated misconfigurations and related threats.

The cloud configuration rule “Service accounts should only use GCP-managed keys” (open in-app) also allows you to quickly identify Google Cloud service accounts with active user-managed access keys.

Track down stale cloud credentials

As discussed above, long-lived cloud credentials are problematic because they never expire and can become exposed in places such as source code, container images, configuration files, etc. Older credentials carry an even greater risk. Consequently, tracking down old and unused cloud credentials is a highly valuable investment for security teams. You can use an AWS credential report to identify IAM users with unused credentials. In Azure, you can use the Microsoft Graph API through the Azure CLI to identify all Azure AD applications with credentials and pinpoint old ones:

az rest --uri

'https://graph.microsoft.com/v1.0/applications/?$select=id,displayName,

passwordCredentials'

In Google Cloud, you can use Policy Analyzer to retrieve the last authentication time of every service account and identify unused ones:

gcloud policy-intelligence query-activity \

--activity-type=serviceAccountLastAuthentication \

--project=your-project

It’s also possible to use Recommender, including at the organization level.

Use Datadog Cloud Security to track down stale cloud credentials

With Datadog Cloud Security, you can identify stale and risky cloud credentials at scale. In particular, you can use the following rules:

Enforce the use of IMDSv2 on Amazon EC2 instances

The EC2 Instance Metadata Service Version 2 (IMDSv2) is designed to help protect applications from server-side request forgery (SSRF) vulnerabilities. By default, newly created EC2 instances allow using both the vulnerable IMDSv1 and the more secure IMDSv2. It’s critical that EC2 instances—especially publicly exposed ones hosting web applications—enforce IMDSv2 to protect against this type of vulnerability, as SSRF vulnerabilities are frequently exploited by attackers.

AWS has released a guide to help organizations transition to IMDSv2, as well as a blog post about the topic. Several additional mechanisms are also available:

While it’s more efficient to enforce IMDSv2 at the design phase—for instance, by updating the source infrastructure-as-code templates—it’s also possible as a last resort to use an SCP to block access to credentials retrieved using IMDSv1.

Use Datadog Cloud Security to identify EC2 instances that don’t enforce IMDSv2

You can use Datadog Cloud Security to identify EC2 instances that don’t enforce IMDSv2 through the Misconfigurations rule “EC2 instances should enforce IMDSv2” (open in-app) and the Cloud Security Issue “Publicly accessible EC2 instance uses IMDSv1” (open in-app).

In addition, the attack path “Publicly accessible EC2 host is running IMDSv1 and has an SSRF vulnerability” (open in-app) allows you to easily identify instances that are immediately at risk.

Datadog Cloud Security identifies an EC2 instance that's publicly accessible and does not have IMDSv2 enforced.
IMDSv1 finding in Datadog Cloud Security
Datadog Cloud Security identifies an EC2 instance that's publicly accessible and does not have IMDSv2 enforced.

Block public access proactively on cloud storage services

Cloud storage services such as Amazon S3 or Azure storage are highly popular and were among the earliest public cloud offerings. While storage buckets are private by default, they are frequently made public inadvertently, exposing sensitive data to the outside world. Thankfully, cloud providers have mechanisms to proactively protect these buckets, ensuring that a human error doesn’t turn into a data breach.

In AWS, S3 Block Public Access allows you to prevent past and future S3 buckets from being made public, either at the bucket or account level. It’s recommended that you turn this feature on at the account level and ensure this configuration is part of your standard account provisioning process. It’s important to note that since April 2023, AWS blocks public access by default for newly created buckets. However, this doesn’t cover buckets that have been created before this date.

A similar mechanism exists in Azure, through the “allow blob public access” parameter of storage accounts. Similarly to AWS, all Azure storage accounts created after November 2023 block public access by default. Microsoft, however, planned to migrate to a more secure default in November 2023.

In Google Cloud, you can block public access to Google Cloud Storage (GCS) buckets at the bucket, project, folder, or organization level using the “public access prevention” organization policy constraint.

When you need to expose a storage bucket publicly for legitimate reasons—for instance, hosting static web assets—it’s typically more cost-effective and performant to use a content delivery network (CDN) such as Amazon CloudFront or Azure CDN rather than directly exposing the bucket publicly.

Use Datadog Cloud Security to identify vulnerable cloud storage buckets

You can use Datadog Cloud Security to identify vulnerable cloud storage buckets through the following rules:

Datadog Cloud Security finding that blob container allows anonymous access

Datadog also determines when a storage bucket is publicly accessible, and allows you to filter associated misconfigurations, so you can focus on the ones that matter most.

You can also manually select or deselect public accessibility as a facet in the Cloud Security sidebar.
Filter results for public accessibility in Datadog Cloud Security
You can also manually select or deselect public accessibility as a facet in the Cloud Security sidebar.

Limit privileges assigned to cloud workloads

Cloud workloads such as virtual machines are frequently assigned permissions to perform their usual tasks, such as reading data from a cloud storage bucket or writing to a database. However, overprivileged workloads can allow an attacker to access a wide range of sensitive data in the cloud environment—or even gain full access to it. Ensuring that workloads follow the principle of least privilege is critical to help minimize the impact of a compromised application.

Right-sizing permissions is a continuous process that usually follows three steps:

  1. Determine what actions the workload needs to perform.
  2. Apply the associated policy to the workload role, with minimally scoped permissions. For instance, if an EC2 instance needs to read files from an S3 bucket, it should only be able to access this specific bucket.
  3. Avoid “permissions drift” by ensuring that the workload still requires and actively uses these permissions.

At development time, you can use tools like iamlive to discover what cloud permissions a workload needs. At runtime, cloud provider tools such as Amazon IAM Access Analyzer or Google Cloud Policy Intelligence can compare granted permissions with effective usage, to suggest scoping down permissions of specific policies. Note that Google decided to make Policy Intelligence accessible only to organizations that use Security Command Center at the organization level, instead of providing it as part of their base offering, starting January 2024.

In addition, it’s important to note that seemingly innocuous permissions can allow an attacker to gain full access to a cloud account through privilege escalation. For instance, while the AWS-managed policy AWSMarketplaceFullAccess may give the impression it’s only granting access to the AWS Marketplace, it also allows an attacker to gain full administrator access to the account by launching an EC2 instance and assigning it a privileged role.

Use Datadog Cloud Security to identify overprivileged cloud workloads

You can use the following Cloud Security Misconfiguration rules to identify risky workloads:

Datadog Cloud Security finding that publicly accessible EC2 instances have highly privileged IAM roles

In addition to showing you a detailed context graph, Datadog Cloud Security also indicates the “blast radius” of the impacted workload—i.e., further resources that can be accessed if the instance is compromised.

Blast radius visualization in Datadog Cloud Security

Apply cloud-specific tuning to your managed Kubernetes clusters

Managed Kubernetes services like Amazon EKS, Azure AKS, and Google Cloud GKE are widely adopted in cloud environments, enabling teams to concentrate on deploying application workloads rather than handling the complexities of Kubernetes control plane management. Despite their popularity, these clusters often come with insecure default configurations. This can pose significant risks, as these clusters operate within cloud environments; compromising a managed cluster can provide attackers with pathways to access the underlying cloud infrastructure.

In general, it’s important to make sure of the following when working with managed clusters:

  1. Limit internet exposure. This can typically be achieved by allow-listing IP ranges, using a site-to-site VPN tunnel, or a zero-trust solution such as Google Cloud’s Identity-Aware Proxy (IaP), which is fully compatible with GKE.
  2. Ensure that proper logging is enabled. On Amazon EKS, audit logs are not enabled by default and require explicit configuration.
  3. Block pod access to the worker node’s metadata service. On EKS and AKS, this is typically done through a Kubernetes network policy. On GKE, this requires turning on Workload Identity.

Use Datadog Cloud Security to identify risky managed Kubernetes clusters

You can use the following Cloud Security Misconfigurations rules to identify risky managed clusters in your cloud environment:

Insecure EKS cluster finding in Datadog Cloud Security

Secure IAM roles used for third-party integrations

Third-party SaaS services often integrate with cloud environments. The most common way of doing so is through the use of IAM roles. In this situation, customers of that service create an IAM role with a trust relationship to a specific, vendor-owned AWS account.

This increases the risk of “confused deputy” attacks, where any third party with knowledge of your AWS account ID could enroll your account on the third-party SaaS service. To prevent this type of threat, it’s essential to enforce the use of an ExternalID, an identifier known only by the user and the third-party SaaS solution.

It’s also critical to make sure that your role does not have excessive permissions with regards to what the third-party service needs to accomplish. For instance, a role used to read CloudTrail logs should not have permissions to read data from S3 buckets. Otherwise, if the role is compromised (such as through the lack of an ExternalID) or the third-party SaaS service is breached, an attacker would get access to sensitive data.

Use Datadog Cloud Security to identify risky third-party roles

You can use Datadog Cloud Security to identify overprivileged third-party roles, as well as roles that have excessive permissions.

You can also use a custom query in the Cloud Security Misconfigurations explorer to identify roles matching both of these rules:

@workflow.rule.defaultRuleId:(def-000-qaw OR def-000-au9)

Finally, Cloud Security Identity Risks allows you to visually identify unused permissions and suggest a right-sized policy, based on correlation with CloudTrail logs and IAM Access Analyzer.

Datadog Cloud Security finding that AWS IAM role has a large permissions gap
Suggested downsized policy in Datadog Cloud Security

Secure your infrastructure against common cloud risks

Our 2024 State of Cloud Security study shows organizations have made continued improvements from 2023 when it comes to securely configuring their cloud infrastructure. Still, there is work to be done in several key areas—these include avoiding long-lived and unmanaged credentials, using the most up-to-date and secure configurations on compute and storage instances, and ensuring roles are not overprivileged, particularly those associated with third-party SaaS integrations. In this post, we highlighted several steps that teams can take to harden their security posture on these fronts, and they can use Datadog Cloud Security to help in that effort.

To get started with Cloud Security, check out our documentation. If you’re new to Datadog, sign up for a 14-day free trial.