Preventing breaches: Why short-lived secrets are key to security

Working as both a cloud and security engineer has exposed me to the various ways organizations tackle cloud infrastructure security. You have most likely seen the scenario where your organization invests millions of dollars in third-party vendor security tools like firewalls, IDS, and endpoint security protection only to suffer a breach because of a single leaked API key that had too many permissions associated with it.

The 2023 CircleCI breach exposed customer secrets across thousands of organizations when attackers obtained a privileged access token with excessive permissions and no expiration date. Similarly, when Uber's AWS keys were compromised in 2022, attackers gained access to sensitive customer data simply because static credentials with broad permissions had been inadvertently exposed.

These incidents highlight a critical vulnerability even the most sophisticated security architectures often have trouble with: long-lived secrets. While organizations focus on building complex defensive edge protections, they often overlook the credentials that remain valid for months, or years, expanding the attack surface for adversaries to exploit.

In the cloud today, environments are ephemeral by nature, where infrastructure is provisioned and destroyed in minutes, so why are we still relying on secrets management practices from a time of on-premises data centers? The answer lies in the implementation of short-lived secrets, a mindset shift that dramatically reduces your attack surface and aligns with the dynamic nature of modern cloud infrastructure.

TL;DR

Static credentials with long lifespans are a major risk. This blog explains why short-lived secrets are essential for modern cloud security, how AWS STS models the right approach, and how Doppler helps implement these patterns at scale to reduce breaches, automate rotation, and simplify compliance.

Why are long-lived secrets a security risk?

The primary issue with traditional secrets is persistence. A typical AWS access key or database credential might remain valid for 90 days, a year, or indefinitely. During the lifetime of the credential, they become increasingly vulnerable through multiple attack vectors such as:

• Code repository exposure - Despite scanning tools' improvements across the industry, credentials continue to leak into public and private repositories, with GitHub reporting blocking over 20 million secrets from being committed in 2023 alone.

• Credential sprawl - As infrastructure scales, secrets proliferate across CI/CD pipelines, developer machines, configuration files, and third-party services. Each instance represents a potential compromise point, with the average enterprise managing over 100,000 secrets across their environment.

• Forgotten credentials - Decommissioned services, departed employees, and completed projects often leave behind orphaned credentials that remain active but unmonitored—perfect targets for attackers performing reconnaissance.

• Insufficient rotation practices - Manual rotation processes are error-prone and frequently deprioritized. According to a 2024 cloud security survey, only 37% of organizations consistently follow their credential rotation policies.

Is rotating long-lived secrets enough?

Many organizations believe that regular rotation of long-lived secrets provides adequate protection. However, this approach has many limitations:

• Rotation windows - Even with 90-day rotation policies, attackers have a substantial window to exploit compromised credentials.

• Operational disruption - Manual rotation frequently causes service disruptions when dependent systems aren't updated properly.

• Incomplete coverage - Most rotation programs fail to address all secrets, focusing on "critical" credentials while leaving others indefinitely valid.

• False security - Rotation creates a false sense of security while failing to address the fundamental problem—the credentials remain valid for extended periods between rotations.

The traditional approach to secrets management is misaligned with modern cloud infrastructure principles. In environments where compute resources might exist for only minutes or hours, why would the credentials for those workloads be any different? This creates unnecessary risk and operational complexity that can be eliminated through a different approach - short-lived secrets that align credential lifespans with the ephemeral nature of the cloud resources themselves.

What are short-lived secrets, and how do they work?

The Amazon Web Services' Security Token Service (AWS STS) is the gold standard for the power of short-lived credentials in cloud infrastructure. Instead of having to distribute long-lived IAM credentials across your environment, STS enables temporary security credentials that automatically expire after a configurable period, typically between 15 minutes and 36 hours. This implementation demonstrates several key principles of effective short-lived secrets:

1. Dynamic generation - Credentials are generated on-demand when access is needed, not provisioned in advance and stored.
2. Automatic axpiration - Every credential has a non-negotiable expiration timestamp, after which it becomes completely invalid.
3. Least privilege - Temporary credentials can be scoped to specific resources and actions, following the principle of least privilege.
4. Identity federation - STS supports assuming roles through identity federation, eliminating the need for long-lived credentials entirely in many workflows.

Where else are short-lived secrets used?

The principles behind AWS STS extend beyond the Amazon ecosystem. Modern security architectures are increasingly adopting similar patterns across platforms. For example, you can implement OAuth 2.0 with short-lived tokens in tandem with refresh tokens, or Just-In-Time (JIT) access patterns for various databases that include automatic revocation mechanisms.

Despite clear security benefits, implementing a short-lived secrets architecture across an entire infrastructure stack presents significant challenges. From handling credential refresh logic to providing a seamless developer experience or offering easy-to-use centralized management, these are key factors in successfully migrating to short-lived secrets.

This is where Doppler bridges the gap by providing a unified platform for managing both long-lived and short-lived secrets, while building complementary capabilities for critical services like AWS STS. By integrating with identity providers and supporting automatic rotation, Doppler enables organizations to migrate in a natural way that makes sense to the individual organization's needs and timeline.

What are the business benefits of short-lived secrets?

While the security advantages of short-lived secrets are compelling, the business benefits extend to operational efficiency and compliance. Organizations implementing temporary credential patterns typically experience significant improvements in operational efficiency. The automation required for short-lived secrets eliminates manual rotation tasks, reducing the operational burden on both security and development teams. This automation also eliminates the service disruptions commonly associated with credential rotation, improving overall system reliability.

Compliance requirements increasingly emphasize the importance of credential lifecycle management. Frameworks like SOC 2, ISO 27001, and PCI DSS all contain controls related to access management and credential security. Short-lived secrets provide built-in compliance with these requirements by enforcing automatic expiration and maintaining comprehensive audit trails. Doppler's audit capabilities document all secret access and changes, simplifying evidence collection during compliance audits and reducing the preparation time for certification processes.

Perhaps most significantly, implementing short-lived secrets through a platform like Doppler creates a foundation for scaling security practices alongside your infrastructure. As organizations adopt microservices, serverless architectures, and multi-cloud strategies, the number of secrets requiring management grows exponentially. Traditional approaches to secrets management simply cannot scale to meet these demands, while automated, short-lived credential patterns grow naturally with your infrastructure.

Why short-lived secrets are a long-term strategy for security

The shift from static, long-lived credentials to dynamic, short-lived secrets represents one of the most transformative security improvements available to modern organizations. By dramatically reducing the window of opportunity for attackers, short-lived secrets address the fundamental vulnerability that has led to countless breaches across the industry.

As we've explored throughout this article, the benefits are multifaceted:

• Enhanced security posture through automatic expiration and reduced attack surface

• Operational efficiency by eliminating manual rotation and associated disruptions

• Simplified compliance with automatic enforcement of credential lifecycle requirements

• Scalable architecture that grows naturally with your cloud infrastructure

The AWS STS model demonstrates that this approach is not an idea — it is, however, a proven pattern implemented by one of the world's largest cloud providers. However, extending these principles across your entire technology stack requires a unified platform that can manage the complexity while maintaining a less developer experience.

Take the first step toward modern secrets management today by signing up for Doppler and implementing short-lived secrets in your development environment. Experience firsthand how temporary credentials can enhance your security without compromising developer productivity.

Sign up for a free Doppler demo now! to begin your journey toward more secure cloud infrastructure, and join the growing community of security-conscious organizations that have eliminated the risk of long-lived secrets from their environments.

Short-lived secrets and cloud security FAQs