Long-term cloud credentials are oftentimes (intentionally or accidentally) littered in source code, laptops/desktops, servers, cloud resources, etc. It’s easy for credentials to be copied across machines, creating sprawl that is at best, difficult to manage and at worst, unnecessarily increasing leakage risk. Furthermore, these types of credentials are only necessary when non-cloud infrastructure resources need to communicate with cloud resources; for example, data center servers trying to use AWS S3 bucket. Generally speaking, there is no good reason to have long term credentials anywhere else—employees should instead use temporary credentials by authenticating with the SSO service.
Osquery is a powerful tool that allows you to investigate and monitor a myriad of endpoint activity, status, and configuration information through a unified SQL interface. Inside osquery, there's typically a 1:1 correspondence between a source of information and the SQL table you can use to browse or search this information. Some sources of information include parts of the
/proc file system, API calls to container daemons, reading logs or status files on disk, and event streams coming from the Linux audit frame.