Product News
Announcing the AWS Secrets Report
TL;DR:
CloudQuery's new AWS Secrets Report helps engineering teams track secrets sprawl across AWS accounts using three key visualizations. Find unrotated secrets, identify unused credentials from the last 30 days, and get account-level breakdowns of your secrets risk. Stop manually auditing secrets with spreadsheets and start treating secrets management like the engineering problem it actually is. The report serves as a starting point for building custom security workflows that integrate with your existing infrastructure tools.
You know what keeps us up at night? It's not the sophisticated nation-state attacks or zero-day exploits. It's the mundane stuff. The API key that's been sitting there for 18 months without rotation. The database password someone created for a proof-of-concept that never got cleaned up. The service token from that microservice we decommissioned last quarter, but somehow forgot to delete.
We built CloudQuery's AWS Secrets Report because managing secrets at scale feels like playing an endless game of hide and seek, except the stakes are your entire infrastructure.
The Problem We Keep Ignoring #
Here's the uncomfortable truth: most engineering teams know they have a secrets problem, but they don't know how big it is. We've talked to teams managing thousands of secrets across dozens of AWS accounts, and their "audit process" involves someone manually clicking through the AWS console with a spreadsheet.
That approach breaks down fast. Really fast.
When you're running microservices across multiple regions, secrets multiply like rabbits. Database credentials here, API tokens there, encryption keys everywhere. Before you know it, you're sitting on hundreds of secrets, and honestly, who has time to track which ones are actually being used?
What We Actually Built #
Secrets Without Rotation by Account #
This one hits different when you see the numbers. We're talking about a simple count that shows which AWS accounts have the most unrotated secrets.
Detailed Secrets Analysis #
Want the full picture? This visualization breaks down every unrotated secret with creation dates, owning services, and last access times. We've seen teams discover secrets that haven't been touched in over a year.
The 30-Day Cleanup List #
This might be the most valuable query we've written. It surfaces secrets that haven't been accessed in the last month. We're talking about immediate wins for reducing your attack surface.
Getting Started #
Each report connects directly to action. When you spot unrotated secrets, you're not just generating a compliance report. You're building systematic security practices.
Start by visiting our AWS Secrets report page to configure your environment and run your first scan. The setup guides you through connecting your AWS accounts and customizing the queries for your specific infrastructure.
We've seen teams use this data to:
- Prioritize rotation automation (start with the oldest secrets protecting critical resources)
- Build cleanup workflows (remove those unused secrets cluttering your environment)
- Generate compliance evidence (show auditors you're actually tracking this stuff)
- Identify automation gaps (spot patterns where rotation should be automatic but isn't)
You can customize every query in CloudQuery's new custom reports feature. Start with our base queries, then adapt them to your infrastructure patterns. Filter by your tagging strategy. Cross-reference with your resource inventory. Build the visibility that makes sense for your environment.
Because honestly? Your secrets deserve the same engineering rigor you apply to performance monitoring and cost optimization.
Do you have ideas for other reports or feedback for us? Be sure to share them on our community forum.
Want to see how CloudQuery can help you get a handle on your Cloud? Try it out yourself or reach out to us to learn more.
