Found a hardcoded DB password sitting in a CodeBuild pipeline last quarter.
It had been there 14 months. Nobody noticed.
This stuff happens more than people admit. And the fix is genuinely not complicated.
If something rotates — DB credentials, API keys, OAuth tokens — it goes in Secrets Manager. Full stop. Auto-rotation built in, native RDS integration, full audit trail in CloudTrail. Costs $0.40 a month per secret.
Everything else — feature flags, app config, environment values — SSM Parameter Store. Free tier. KMS encryption on SecureString. IAM controls per environment.
The thing most teams get wrong: they shove credentials into plain-text CodeBuild env vars because it's faster in the moment. Those values show up in build logs. Anybody with log access can read them.
One leaked key is all it takes. Uber found that out. Capital One found that out.
$0.40 a month versus a breach investigation. That's the actual tradeoff.
How does your team handle secrets in CI/CD right now? Curious if people are actually enforcing this or just saying they are.
