Credential Leak Response

Playbook Overview

Credential leakage means that the identity authentication information, such as the username, password, API key, and access token, of an individual or organization is obtained or disclosed by an unauthorized third party when the individual or organization uses online services, such as cloud services, social media platforms, and emails. The Credential Leak Response playbook has been associated with the Credential Leak Response workflow. The playbook can be used in the following scenario:

API key leak scenario: The Credential Leak Response - AccessKey playbook automatically disables the compromised AK/SK.

**Table 1** Playbook triggering conditions
Playbook	Trigger Condition
Credential Leak Response - AccessKey	This playbook is triggered by an alert. If an alert meets the following three conditions and the playbook is enabled, the playbook will automatically disable the related AK/SK. Condition 1: The alert type is AKSK Leakage. Condition 2: The alert severity is High or Critical. Condition 3: The alert source is the Access Key Leak module on the Account Risk Control Workbench. Access Key Leak: SecMaster collects statistics on AK and SK leakage risks by analyzing attack data. The data is sourced from recorded AK and SK leakage alerts on the Attacks tab within the Alerts module. The data source also includes the alerts generated due to AK and SK leakage in GitHub, OBS, and RDS. To aggregate alerts generated due to AK and SK leakage in OBS and RDS, you need to enable the DSC service and the auto alert conversion of DSC logs on the SecMaster console. For details about how to connect DSC alarm logs to SecMaster, see Enabling Log Access. The Access Key Leak module depends on Data Security Center (DSC). To use this function, ensure that Large Model Data Security Protection you buy in DSC is still valid. For details about how to buy DSC, see Buying DSC.

You need to enable this playbook manually.

Prerequisites

Your SecMaster professional edition is available.
You have connected DSC alarm logs to SecMaster and enabled auto alert conversion of DSC logs on the SecMaster console For details, see Enabling Log Access.

Limitations and Constraints

This function applies only to Huawei Cloud account credentials. It is not applicable to credentials in other service systems.

Enabling a Playbook

By default, the initial version (V1) of the Credential Leak Response - AccessKey playbook has been activated. You only need to enable the playbook.

Log in to the SecMaster console.
In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.
Figure 1 Workspace management page
In the navigation pane on the left, choose Security Orchestration > Playbooks.
Figure 2 Accessing the Playbooks tab
On the Playbooks page, search for the Credential Leak Response - AccessKey playbook and click Enable in the Operation column of the playbook.
In the dialog box displayed, select the initial playbook version v1 and click OK. If the Playbook Status of the Credential Leak Response - AccessKey playbook changes to Enabled, the playbook has been enabled successfully.

Implementation Effect

If an alert that meets the conditions is detected and the playbook is enabled, the playbook will automatically disable leaked keys.

The procedure is as follows:

On the management console, hover the mouse over the username in the upper right corner, and select My Credentials from the drop-down list. The API Credentials page is displayed by default.
In the navigation pane on the left, choose Access Keys.
On the Access Keys page, check whether the Status of the key is Disabled. If yes, the key has been disabled.