All news with #secrets management tag

🔐 Bitwarden has introduced Cupid Vault, a free feature that lets users create a two-person shared Organization to securely share login credentials with a trusted email address. Owners assign credentials to the second member, can verify enrollments using a fingerprint phrase to prevent man‑in‑the‑middle attacks, and can revoke access at any time; the Organization vault is isolated from personal vaults. Cupid Vault is limited to two users and two collections and is distinct from Bitwarden's paid Family, Teams, and Enterprise plans that provide broader sharing and role-based controls.

🔒 Modern cloud environments create vast numbers of short-lived machine identities that outnumber humans and often remain unmanaged. The author argues that traditional, ticket-driven identity governance is inadequate for ephemeral workloads and supply-chain tooling, exposing organizations to “zombie” service accounts and credential theft. The recommended response is a shift to cryptographic workload identity (e.g., SPIFFE and workload attestation), elimination of long-lived static credentials via short-lived tokens and OIDC Federation, and automated entitlement pruning using CIEM to restore least-privilege without slowing engineering velocity.

🔐 In late 2025, Flare researchers discovered over 10,000 Docker Hub images containing exposed production secrets — from API keys and cloud tokens to CI/CD credentials and AI model access tokens. The report frames non-human identities — tokens, service accounts and workload identities — as persistent, highly privileged artifacts that often outlive their creators and bypass traditional controls. It highlights incidents including the Snowflake breach, a long-lived Home Depot GitHub token exposure, and a Red Hat GitLab compromise, and urges teams to adopt automated secret scanning, short-lived credentials, and continuous monitoring of public registries.

🔐 This post compares centralized and decentralized approaches to secrets management across four lifecycle domains: creation, storage, rotation, and monitoring. It explains how platform engineering and golden paths can centralize creation to enforce naming, tagging, and least-privilege checks while acknowledging the resource cost and maintenance burden. The article contrasts centralized storage (simplified monitoring but higher cross-account complexity and KMS costs) with storing secrets in workload accounts (better isolation, delegated ownership). Finally, it recommends centralizing auditing and observability while allowing hybrid architectures that balance control, speed, and operational scale.

🔐 New research from CyberArk finds enterprise users routinely bypass IAM controls to work faster, with 63% of security leaders reporting this behavior. Only 1% of organizations have fully implemented a modern just‑in‑time privileged access model, while 91% say at least half of privileged access remains always‑on. Shadow accounts and unmanaged secrets surface weekly in 54% of firms, and many lack clear AI access policies.

🤖 Robotic Process Automation (RPA) bots are rapidly becoming first‑class Non‑Human Identities (NHIs) that streamline provisioning, deprovisioning and credential handling while reducing human error. Left unmanaged, bot identities and embedded secrets expand the attack surface and enable privilege misuse or lateral movement. Organizations should treat bots like human users — using secrets managers, PAM, JIT access and unified IAM with Zero Trust controls to preserve least‑privilege and maintain auditability.

🔐 Passwork 7 is a self-hosted password and secrets manager designed for enterprise teams, combining a user-facing password vault with a programmatic secrets management system. It introduces a flexible vault architecture (user, company, and custom vault types), granular RBAC, secure internal and external sharing, and comprehensive audit trails. The platform supports SSO/LDAP, an API-first model with a Python connector, CLI and Docker deployment, and a zero-knowledge encryption mode to keep data encrypted client-side. Passwork 7 targets organizations seeking unified human and machine credential governance with self-hosting and compliance controls.

🔐 AWS Secrets Manager now supports managed external secrets, a new secret type that standardizes storage and enables automated rotation for third-party application credentials such as Salesforce, Snowflake, and BigID. The feature separates rotation metadata from secret values and integrates directly with providers to remove the need for custom rotation functions. It leverages existing IAM, CloudWatch, CloudTrail, GuardDuty, and KMS controls and follows standard Secrets Manager pricing with no additional charge.

🔐 Passwork 7 consolidates enterprise password and secrets management into a single, self-hosted platform supporting both human and machine credentials. The release improves credential organization with new vault types, expands RBAC and group-based permissions, and enhances audit trails and notifications. It also provides a REST API, Python connector, CLI, and Docker image for automation, plus zero-knowledge encryption and SSO/LDAP integration to help meet compliance needs.

🔐 This AWS Security blog by Jennifer Paz outlines a layered, practical approach to reduce exposure from long‑term AWS credentials. It recommends discovery and risk assessment with CodeGuru Security, IAM Access Analyzer, credential reports, and Trusted Advisor, followed by enforcement using SCPs and RCPs to create a network data perimeter. The post also covers runtime protections (security groups, NACLs, Network Firewall, AWS WAF), automated rotation using Secrets Manager or rotation patterns, and threat detection via GuardDuty, all intended to bridge the gap until migration to temporary credentials is feasible.

🔐 AWS has announced general availability of the Amazon EKS add-on for the AWS Secrets Store CSI Driver provider, enabling clusters to mount secrets from AWS Secrets Manager and parameters from AWS Systems Manager Parameter Store as files on Kubernetes workloads. The add-on installs and manages the AWS provider component and supports automated setup and lifecycle management for new and existing Amazon EKS clusters. It is available in all AWS commercial and AWS GovCloud (US) Regions.

🔒 Enterprises and SMBs have invested heavily in authentication and IAM, but those controls are only as strong as password management. Compromised credentials remain a leading cause of breaches while the average employee manages over 100 accounts, creating operational and compliance burdens. Dedicated password managers can cut support costs by up to 80% and lower incident rates, but success requires strong user adoption and integration with SSO, MFA, LDAP/AD and privileged access systems.

🔒 Google Cloud's Parameter Manager centralizes application configuration to avoid hard-coded credentials and fragile config files, supporting validated JSON and YAML payloads as well as arbitrary unformatted data. It integrates with Secret Manager using a __REF__ syntax to keep confidential values separate and uses versioned, immutable parameter versions to prevent accidental changes. The post walks through storing an API key in Secret Manager, granting the Parameter Manager IAM principal access, and calling renderParameterVersion from a Node backend. A sample React/Node weather app demonstrates runtime configuration, fallback dummy data, and advanced patterns such as regional parameters and feature rollouts.

🔐 Organizations are rapidly replacing embedded API keys and passwords with platform-native managed identities to reduce manual credential management and leakage risk. Enterprises report significant productivity gains—case studies cite up to a 95% reduction in time spent managing credentials and a 75% drop in time learning platform authentication. While major clouds (AWS, Azure, GCP) and CI platforms have built-in solutions, legacy systems and third-party APIs remain the primary obstacles to eliminating static secrets entirely.

🔐 AWS outlines when to use Secrets Manager, Systems Manager Parameter Store, and AWS AppConfig to manage credentials, configuration values, and feature flags. The guidance recommends Secrets Manager for sensitive credentials that need rotation and multi‑Region replication, Parameter Store for simple or high‑volume key/value data, and AppConfig for validated, controlled deployments. The post compares encryption, access controls, replication, monitoring, and pricing to help architects select the best fit.

🔐 AWS Parallel Computing Service (PCS) now supports rotation of Slurm cluster secret keys using AWS Secrets Manager. Administrators can update the credentials used for authentication between the Slurm controller and compute nodes without recreating a cluster, preserving running workloads and configuration. Regular rotation reduces the risk of credential compromise and helps meet security best practices and compliance requirements. The capability is available in all Regions where PCS operates and can be initiated from the Secrets Manager console or via API after preparing the cluster for rotation.

🔒 This post demonstrates deploying the AWS Secrets Manager Agent as a sidecar container in Amazon EKS to provide a language-agnostic local HTTP interface (localhost:2773) for secrets retrieval. The agent pulls and caches secret values, reducing direct API calls to Secrets Manager and improving application availability. It enforces SSRF protection via a generated token at /var/run/awssmatoken and implements ML‑KEM post‑quantum key exchange by default. Authentication uses Amazon EKS Pod Identity and IAM permissions (secretsmanager:GetSecretValue and secretsmanager:DescribeSecret), and the post includes build, containerization, and deployment steps.

🔐 AWS details practical guidance for implementing and managing Amazon Bedrock API keys, the service-specific credentials that provide bearer-token access to Bedrock. It recommends STS temporary credentials when possible and defines two API key types: short-term (client-generated, auto-expiring) and long-term (IAM-user associated). Protection advice includes using SCPs, iam and bedrock condition keys, and storing long-term keys in secure vaults. Detection and monitoring use CloudTrail, EventBridge rules, and an AWS Config rule, and response steps show CLI commands to deactivate and delete compromised keys.

🔐 Passwork 7 is an on‑premises unified platform that consolidates password and secrets management with a redesigned interface and reworked core workflows to improve usability and security. The update introduces hierarchical vaults, custom vault types, role‑based access, and comprehensive logging, plus API, Python connector, CLI and Docker support for DevOps automation. Built on a zero‑knowledge AES‑256 model with MongoDB storage and ISO 27001 certification, it targets organizations needing centralized, compliant credential control.

🔐 AWS Secrets Manager now supports AWS PrivateLink with all Secrets Manager Federal Information Processing Standard (FIPS) endpoints available in commercial AWS Regions and the AWS GovCloud (US) Regions. With this launch you can establish a private connection between your VPC and Secrets Manager FIPS endpoints instead of connecting over the public internet. This capability helps organizations meet compliance and regulatory requirements that limit public internet connectivity.