Sign in Subscribe
Concepts

Tracking Non-Human Identities: How to Monitor Service Accounts and Automation Scripts

Andrios Robert

1 min read

The alert hit at 02:14.
A backend service account moved 14 gigabytes of production data to an external S3 bucket.
No human was logged in.

Tracking non-human identities—service accounts, machine users, CI/CD pipelines, automation scripts—is not optional anymore. Attackers know these credentials often have broad permissions and weak monitoring. If you do not know which non-human identity accessed what and when, blind spots grow fast.

A non-human identity audit starts with complete logs. Every API call, every database query, every file read must tie back to a unique key or service account. Collect from your API gateway, IAM access logs, build servers, and Kubernetes audit trails. Store events in a centralized, immutable log store. Index on identity and timestamp.

Once collected, build a real-time correlation layer. Alerts should trigger on unusual access patterns—uncommon endpoints, large data transfers, or access outside expected schedules. Machine learning is optional; simple rules often catch the worst incidents. The key metric: verifiable answers to “who accessed what and when,” even when “who” is a shell script running nightly in CI.

Enforce least privilege. Give every non-human identity its own credentials, limited to the resources it needs and rotated on a schedule. Remove shared keys. Require short-lived tokens. If a single service account can sweep prod and staging with one API key, you have already lost control.

Regularly review permissions and historical logs. Identify stale identities, orphaned API keys, and service accounts with no recent valid activity. Delete what is unused. This reduces the attack surface and simplifies investigations.

The result of disciplined tracking: when the next alert hits at 02:14, you know exactly which process fired, what data moved, and under whose credentials. You act in minutes instead of days.

See how you can get instant visibility into non-human identities with Hoop. Connect, track, and lock down access—see it live in minutes at hoop.dev.