Resolved Has there been any fresh update on the approach of Plesk to the exposure of AWS Firehouse keys?

[lemoneye]

Server operating system version

Ubuntu 24.04.03

Plesk version and microupdate number

Plesk Obsidian 18.0.71 Update #2

I note there has been previous discussion of this in the Forums (Question - Why in plesk firehouse Aws keys are public ?), but my largest customer is flagging this as something their security people are concerned about.

Why do these keys need to be exposed? What are they for, and is it possible to manage them?

Again I note the possible mitigation in the Question - Why in plesk firehouse Aws keys are public ? thread.

An official response from Plesk would be useful as we need to be able to demonstrate due diligence at the very least.

Thanks and regards,
Brendon

 

[Sebahat.hadzhi]

Hello, Brendon. This is still not considered a vulnerability, because the account credentials that are exposed have no harmful permissions. Only anonymized technical data is gathered and sent via these credentials. Nevertheless, our team is currently reworking the manner in which keys are handled. However, I cannot yet provide any ETA on when the task will be completed. At the moment, the only available workaround is to disable Plesk User Activity tracking by using the steps in the following article:

• How to disable Plesk User Activity tracking?

 

[lemoneye]

Thank you for your speedy respnse, Sebahat. I shall report this back to my client. Please mark this closed.