Logs don't mean a thing: Unraveling IaC-Managed Identity Ownership
Dan Abramov, Eliav Livneh
fwd:cloudsec North America 2025 · Day 2 · Track 1 - Crystal
Dan Abramov and Eliav Livneh, both security researchers at **Token Security**, presented a creative and entertaining exploration of a deceptively hard problem in cloud identity management: determining the actual human owner of a machine identity created through **Infrastructure as Code (IaC)**. Framed as a game show called "Who is the Owner?", the talk addressed the fundamental gap that emerges when cloud audit logs show Terraform or another IaC engine as the creator of a service account rather than a responsible human being. In incident response scenarios where a compromised identity must be quickly rotated or suspended, knowing who to call is not optional — it is operationally critical.
AI review
A well-structured talk that frames a real operational problem — determining human ownership of IaC-created machine identities — and evaluates three distinct solutions. The log-based correlation approach is clever and practical, though the work stops short of releasing tooling or demonstrating novel exploitation of the ownership gap.