Docs Platform Machine Identity Management

Machine Identity Management

Discover, classify, and automate the lifecycle of service accounts, certificates, API keys, and SSH keys across your infrastructure.

Machine identities — service accounts, certificates, API keys, and SSH keys — represent the largest and least-governed identity type in most enterprises. WNCYBER automates their discovery and lifecycle management.

Discovery

Initiating a Discovery Scan

  1. Navigate to Identities → Machine → Discovery
  2. Select the environments to scan (connected cloud accounts, on-premises Active Directory, CI/CD systems)
  3. Run Full Discovery for an initial scan, or enable Continuous Discovery for ongoing monitoring
  4. Review results in Identities → Machine → Inventory

Discovery Sources

SourceWhat WNCYBER Discovers
Active DirectoryService accounts, managed service accounts (MSAs), group managed service accounts (gMSAs)
Microsoft Entra IDApp registrations, service principals, managed identities
AWS IAMIAM users with programmatic access, roles, instance profiles
AzureService principals, managed identities, key vault secrets
GCPService accounts, keys, Workload Identity bindings
KubernetesService accounts, secrets, ConfigMaps with embedded credentials
GitHubDeploy keys, Actions secrets, personal access tokens

Certificate Management

Certificate Lifecycle

WNCYBER tracks certificate validity periods and automates renewal workflows:

  1. Inventory — discover certificates across web servers, load balancers, and internal PKI
  2. Monitor — receive alerts at configurable thresholds before expiry (default: 30 days)
  3. Renew — trigger automatic renewal via integrated CAs (ACME, Microsoft ADCS, HashiCorp Vault PKI)
  4. Revoke — revoke compromised or unused certificates through the console

Configuring Auto-Renewal

Navigate to Machine → Certificates → Auto-Renewal Settings. Set:

  • The CA integration to use for renewals
  • The lead time before expiry (default: 30 days)
  • The notification contacts for renewal failures

Service Account Governance

Right-Sizing Permissions

WNCYBER analyses the actual permissions used by each service account and compares them to assigned permissions. Accounts with significantly more assigned permissions than used permissions are flagged as Over-Privileged.

To right-size a service account:

  1. Open the account in Identities → Machine → Service Accounts
  2. Review the Permissions Analysis tab
  3. Click Generate Remediation Plan — WNCYBER produces a minimal permission set based on observed usage
  4. Export the remediation plan for review, or apply it directly if write permissions are configured

Orphan Detection

Service accounts with no successful authentication in the past 90 days (configurable) are marked as Potentially Orphaned. Navigate to Machine → Service Accounts → Orphan Report to review and take action.

API Key and SSH Key Management

API Key Rotation

  1. Navigate to Machine → API Keys
  2. Select keys to rotate or enable Auto-Rotate for supported platforms
  3. Set the rotation schedule (default: 90 days)
  4. WNCYBER rotates the key, updates it in the secrets vault, and notifies consuming workloads via the configured channel

SSH Key Replacement

Replace static SSH keys with ephemeral, certificate-based authentication:

  1. Deploy the WNCYBER SSH Certificate Authority to your bastion or jump hosts
  2. Configure the target hosts to trust the WNCYBER CA
  3. Users and workloads request short-lived SSH certificates instead of using static keys
  4. Certificates expire after the configured session duration (default: 8 hours)
Back to Docs Need help? Contact support