Review & Remediate VM Secrets Security Recommendations

Implementation Effort: Medium
Security and IT teams must review secrets-related recommendations, analyze metadata, and remediate exposed secrets across Azure, AWS, and GCP virtual machines.

User Impact: Low
Secrets remediation is handled by administrators and security teams; end users are not directly involved.

Overview

Microsoft Defender for Servers includes secrets scanning capabilities that detect plaintext secrets—such as credentials, tokens, and keys—stored on virtual machines. These secrets can pose a serious lateral movement risk if compromised. Defender for Cloud generates recommendations when secrets are discovered, helping teams prioritize and remediate them effectively.

Prerequisites

• Defender for Servers Plan 2 or Defender CSPM must be enabled.
• Agentless scanning must be turned on.
• Machines must be supported Azure VMs, AWS EC2, or GCP Compute Engine instances 1.

How to Review Secrets Recommendations

1. Go to Microsoft Defender for Cloud > Recommendations.
2. Expand the Remediate vulnerabilities security control.
3. Look for one of the following:
   • "Machines should have secrets findings resolved" (Azure)
   • "EC2 instances should have secrets findings resolved" (AWS)
   • "VM instances should have secrets findings resolved" (GCP)
4. Expand Affected resources to view the list of machines with secrets findings.
5. In the Findings section, select a secret to view:
   • File path
   • Last access time
   • Token expiration (if applicable)
   • Whether the secret’s target resource still exists 1.

How to Remediate

• Follow the Remediation steps listed in the recommendation.
• Remove or rotate the exposed secret.
• Reconfigure the application or script to use secure storage (e.g., Azure Key Vault).
• Optionally, drill into the Inventory > Secrets tab on a specific VM to review and act on secrets directly 1.

Additional Tools

• Use Cloud Security Explorer to query secrets across your environment.
• Prioritize secrets based on exposure (e.g., internet-facing assets) and attack paths 2.

Failing to remediate secrets can lead to credential theft, privilege escalation, and lateral movement. This capability supports the "Assume Breach" principle of Zero Trust by identifying and eliminating sensitive data exposure on endpoints.

Reference

• Remediate machine secrets in Microsoft Defender for Cloud
• Protecting secrets in Defender for Cloud
• Remediate recommendations in Defender for Cloud