E.3.9 Ephemeral credentials

Control Details

Objective

Reduce the number of potential entry points for a hacker, as well as the attack surface.

Definition

As an alternative to passwords, ephemeral credentials are randomly generated, short-lived access credentials that exist only for one session to authenticate and authorize privileged connections. These credentials are automatically issued as needed, so users do not have to input credentials when connecting and enable fine-grained permissions and automation of provisioning access tokens.

Assessment Questions

1. Describe your approach to access management for machines and services such as CI/CD pipeline agents, e.g. do you use short-lived tokens.
2. Who uses these tokens and for what types of systems?

Reference sources

1. CNCF-SSC SC-SA: Use short-lived/ephemeral credentials BP-SA Use Short-Lived Workload Certificates