Service Account Authentication
Description
Service accounts in the CDE must use unique credentials (no sharing), managed centrally, with documented rotation cadence.
⚠️ Risk Impact
Shared service-account credentials enable broad lateral movement when compromised. Without rotation, credentials accumulate exposure indefinitely.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.
🔧 Remediation
Use Workload Identity Federation. Eliminate long-lived service account keys. Centralized secret management (AWS Secrets Manager, GCP Secret Manager, HashiCorp Vault). Document rotation cadence.
💀 Real-World Attack Scenario
A merchant's CDE services used a shared 'db_user' account with the same password for 4 years. When a developer laptop was compromised, the password was extracted from a config file + used to access the CDE database directly. PCI 8.6 violation + 8M card records exfiltrated.
💰 Cost of Non-Compliance
Shared-credential breaches: avg 4.6× higher cost (IBM X-Force 2024).
📋 Audit Questions
- 1.Are service accounts unique per service?
- 2.Rotation cadence documented?
- 3.Workload identity federation in use?
- 4.Secret management central?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔Shared service accounts 'because it's easier'
- ⛔Static keys never rotated
- ⛔Secrets in config files (in repos!)
📈 Business Value
Workload identity federation eliminates 95%+ of static-credential risk.
⏱️ Effort Estimate
Migration to federation per workload
EchelonGraph audits credential age + identifies workloads on static keys
🔗 Cross-Framework References
Automate PCI DSS 8.6 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →