🔑 Grafo de Secrets - Relacionamentos e Impacto
Secrets Network - Onde foram encontrados e o que acessam
graph TB
subgraph "GIT HISTORY - ORIGEM"
REPO1["portal-de-relacionamento-backend<br/>3377 commits"]
REPO2["gestao-de-identidade-serverless<br/>280 commits"]
REPO3["portal-de-relacionamento-frontend<br/>2373 commits"]
end
subgraph "SECRETS ENCONTRADOS"
TOKEN_SEC["🔴 TOKEN_SECRET<br/>569825f342fae7cae51f7c55fcc805c6<br/>JWT Secret<br/>Type: Symmetric encryption<br/>ENCONTRADO: 2 REPOS"]
MSAL_DEV["🔴 MSAL Dev Secret<br/>Qjc8Q~qh5ILbrPG71r35Y2U9M53nNMFZSyGi.aOb<br/>AppID: cc06aa03<br/>Type: Azure AD Client Secret<br/>ATIVO + Em git"]
MSAL_PRD["🔴 MSAL Prod Secret<br/>IA_8Q~<br/>AppID: 4e5a672f<br/>Type: Azure AD Client Secret<br/>NOVO (added during audit)"]
RDS_CREDS["🔴 MySQL RDS Dev<br/>dev_admin:sShk9PkdQ35BRilDH0ukREDEDOR<br/>Host: gestao-identidade-dev.cf04evbxtqfl<br/>Type: Database credentials<br/>STATUS: ATIVO"]
SWAGGER_AUTH["🟠 Swagger BasicAuth<br/>User: S7W1vzE4Xx5scLY1GsKf<br/>Pass: $t7N0<\\33Ts8<br/>Type: Basic Auth<br/>Scope: Portal internal API"]
CRM_PASS["🟠 CRM Password<br/>503743dE2c124255A395Db53b8757793<br/>Type: System password<br/>Scope: Dynamics/CRM system"]
COGNITO["🟠 Cognito Client Secret<br/>59r3tknurueajmegi8dme43c9ef9hirfvjg6cdtpb12r7uj4dav<br/>Type: AWS Cognito client<br/>Scope: User pool access"]
SN_SEC1["🟠 ServiceNow Secret 1<br/>y}57}QL)T<br/>Type: App password<br/>Scope: ServiceNow integration"]
SN_SEC2["🟠 ServiceNow Secret 2<br/>0TykR59NL]!X84T<br/>Type: API key<br/>Scope: ServiceNow integration"]
APEX_DEV["🟠 APEX Dev Secret<br/>DDc<br/>AppID: 4459f6a9<br/>Type: APEX client secret<br/>Expires: 2028"]
APEX_PRD["🟠 APEX Prod Secret<br/>YP8<br/>AppID: 4459f6a9<br/>Type: APEX client secret<br/>Expires: 2028"]
APEX_GEN["🔴 APEX General Prod Secret<br/>8nf<br/>AppID: 4459f6a9<br/>Type: APEX secret<br/>Expires: 2026-03 (próximo)"]
APEX_ORACLE["🔴 Oracle APEX Secret<br/>iC_<br/>AppID: 4459f6a9<br/>Type: Oracle APEX credential<br/>Expires: TODAY! ⚠️"]
AWS_CRED1["🟡 AWS Credential (expirado)<br/>ASIAUDR62I7VSFR2BZ4F<br/>Account: 282525845483<br/>Type: STS token<br/>Status: EXPIRADO 2024"]
AWS_CRED2["🟡 AWS Credential (expirado)<br/>ASIAXB6XBZEG7RE64OW4<br/>Account: 485245438221<br/>Type: STS token<br/>Status: EXPIRADO 2024"]
end
subgraph "AZURE AD APPS (344 TOTAL)"
PAT_TOKEN_MGR["🔴 PAT-Token-Manager<br/>AppID: df077825<br/>3 secrets ativa<br/>Acessa: Azure DevOps COMPLETO"]
DOR_DEV_HUB["🔴 dor-dev-hub<br/>AppID: 8a7d0eab<br/>2 secrets ativa<br/>Acessa: Azure DevOps (exp 2028)"]
CYBERARK_APP["🟠 CyberArk Identity RDOR OLD<br/>AppID: 994ce889<br/>2 secrets exp 2026<br/>Acessa: Directory.ReadWrite.All"]
KEYVAULT_APP["🔴 Key Vault Management<br/>AppID: 1cd22fa9<br/>Secret manager<br/>Acessa: TODOS os 344 secrets"]
APEX_APP["🟠 APEX - AUTHENTICATION<br/>AppID: 4459f6a9<br/>7 secrets total<br/>Acessa: Oracle APEX + business logic"]
OUTROS_336["+ 336 Azure AD Apps<br/>com secrets"]
end
subgraph "SISTEMAS ACESSADOS"
GRAPH_API["📊 Microsoft Graph API<br/>Scope: Application.ReadWrite.All<br/>Pode ler/modificar<br/>TODAS as 344 apps"]
DEVOPS["🔷 Azure DevOps Organization<br/>rededorlabs<br/>6 repositórios principais"]
MYSQL_DEV["🗄️ MySQL RDS Dev<br/>gestao-identidade-dev<br/>Database de usuários/roles"]
PORTAL_API["🌐 Portal Internal API<br/>Endpoints de negócio<br/>Medical workflows"]
CRM_SYSTEM["💼 Dynamics CRM<br/>Customer relationship<br/>Business data"]
COGNITO_UP["👥 AWS Cognito User Pool<br/>User management<br/>Authentication"]
SERVICENOW["🎟️ ServiceNow Instance<br/>Ticketing system<br/>ITSM workflows"]
APEX_SYSTEM["📱 Oracle APEX<br/>Business logic<br/>Application platform"]
AWS_INFRA["☁️ AWS Infrastructure<br/>3 AWS accounts<br/>RDS, ECS, Lambda, ECR"]
end
%% Origem dos Secrets
REPO1 -->|"Commit history"| TOKEN_SEC
REPO1 -->|"Commit history"| MSAL_DEV
REPO1 -->|"Commit history"| RDS_CREDS
REPO1 -->|"Commit history"| SWAGGER_AUTH
REPO1 -->|"Commit history"| CRM_PASS
REPO2 -->|"Commit history"| TOKEN_SEC
REPO2 -->|"Commit history"| COGNITO
REPO2 -->|"Commit history"| SN_SEC1
REPO2 -->|"Commit history"| SN_SEC2
REPO3 -->|"Config files"| MSAL_DEV
%% Acesso aos sistemas
TOKEN_SEC -->|"JWT auth"| MYSQL_DEV
TOKEN_SEC -->|"JWT auth"| PORTAL_API
TOKEN_SEC -->|"JWT auth"| AWS_INFRA
MSAL_DEV -->|"Graph API token"| GRAPH_API
MSAL_DEV -->|"Portal auth"| PORTAL_API
MSAL_PRD -->|"Production auth"| PORTAL_API
MSAL_PRD -->|"Graph API token"| GRAPH_API
RDS_CREDS -->|"MySQL access"| MYSQL_DEV
SWAGGER_AUTH -->|"API gateway bypass"| PORTAL_API
CRM_PASS -->|"Direct auth"| CRM_SYSTEM
COGNITO -->|"User pool access"| COGNITO_UP
SN_SEC1 -->|"Integration auth"| SERVICENOW
SN_SEC2 -->|"Integration auth"| SERVICENOW
APEX_DEV -->|"APEX access"| APEX_SYSTEM
APEX_PRD -->|"APEX access"| APEX_SYSTEM
APEX_GEN -->|"APEX auth"| APEX_SYSTEM
APEX_ORACLE -->|"Oracle APEX access"| APEX_SYSTEM
AWS_CRED1 -->|"Historical access"| AWS_INFRA
AWS_CRED2 -->|"Historical access"| AWS_INFRA
%% Azure AD relationships
PAT_TOKEN_MGR -->|"DevOps FULL scope"| DEVOPS
DOR_DEV_HUB -->|"DevOps access"| DEVOPS
CYBERARK_APP -->|"Directory management"| GRAPH_API
KEYVAULT_APP -->|"Access ALL secrets"| OUTROS_336
APEX_APP -->|"Contains"| APEX_DEV
APEX_APP -->|"Contains"| APEX_PRD
APEX_APP -->|"Contains"| APEX_GEN
APEX_APP -->|"Contains"| APEX_ORACLE
GRAPH_API -->|"Enumerate"| PAT_TOKEN_MGR
GRAPH_API -->|"Enumerate"| DOR_DEV_HUB
GRAPH_API -->|"Enumerate"| CYBERARK_APP
GRAPH_API -->|"Enumerate"| KEYVAULT_APP
GRAPH_API -->|"Enumerate"| APEX_APP
GRAPH_API -->|"Enumerate"| OUTROS_336
%% Pivot vectors
MSAL_DEV -.->|"Can add password to"| MSAL_PRD
style TOKEN_SEC fill:#ff3333,color:#fff,stroke:#8b0000,stroke-width:3px
style MSAL_DEV fill:#ff3333,color:#fff,stroke:#8b0000,stroke-width:3px
style MSAL_PRD fill:#ff6666,color:#fff,stroke:#cc0000,stroke-width:3px
style RDS_CREDS fill:#ff3333,color:#fff,stroke:#8b0000,stroke-width:3px
style SWAGGER_AUTH fill:#ff9999,color:#fff,stroke:#cc0000,stroke-width:2px
style APEX_ORACLE fill:#ff3333,color:#fff,stroke:#8b0000,stroke-width:3px
style APEX_GEN fill:#ff3333,color:#fff,stroke:#8b0000,stroke-width:3px
style PAT_TOKEN_MGR fill:#ff3333,color:#fff,stroke:#8b0000,stroke-width:3px
style DOR_DEV_HUB fill:#ff3333,color:#fff,stroke:#8b0000,stroke-width:3px
style KEYVAULT_APP fill:#ff3333,color:#fff,stroke:#8b0000,stroke-width:3px
style GRAPH_API fill:#ff9999,color:#fff,stroke:#cc0000,stroke-width:2px
style DEVOPS fill:#ff9999,color:#fff,stroke:#cc0000,stroke-width:2px
Matriz de Secrets por Localização
graph TB
subgraph "GIT REPOSITORY EXPOSURE"
G1["portal-de-relacionamiento-backend<br/>📌 TOKEN_SECRET<br/>📌 MSAL Dev Secret<br/>📌 MySQL RDS (dev_admin:password)<br/>📌 Swagger BasicAuth<br/>📌 CRM Password<br/>Commits: 3377<br/>Achados: 5 secrets maiores"]
G2["gestao-de-identidade-serverless<br/>📌 TOKEN_SECRET (DUPLICADO!)<br/>📌 Cognito Secret<br/>📌 ServiceNow Creds (2x)<br/>Commits: 280<br/>Achados: 4 secrets"]
G3["portal-de-relacionamento-frontend<br/>🔍 MSAL config<br/>🔍 API endpoints<br/>Commits: 2373<br/>Achados: Config files"]
end
subgraph "AZURE AD SECRETS (Enumerable)"
A1["PAT-Token-Manager (df077825)<br/>Status: 3 secrets ativa<br/>Expira: N/A<br/>Acesso: Azure DevOps FULL"]
A2["dor-dev-hub (8a7d0eab)<br/>Status: 2 secrets ativa<br/>Expira: 2028<br/>Acesso: Azure DevOps"]
A3["Key Vault Management (1cd22fa9)<br/>Status: Active<br/>Expira: N/A<br/>Acesso: TODOS os 344 secrets"]
A4["CyberArk Identity (994ce889)<br/>Status: 2 secrets ativa<br/>Expira: 2026<br/>Acesso: Directory.ReadWrite.All"]
A5["APEX Auth (4459f6a9)<br/>Status: 7 secrets<br/>Expira: 2028, 2026-03, TODAY<br/>Acesso: Oracle APEX + business"]
A6["+ 339 Other Apps<br/>Status: Average 1 secret each<br/>Expira: Various<br/>Acesso: Various services"]
end
subgraph "TIMELINE - EXPIRATION URGENCY"
T1["🔴 EXPIRA HOJE<br/>Oracle APEX Secret (iC_)<br/>Loss of APEX access imminent"]
T2["🔴 EXPIRA 2026-03<br/>APEX id_secret_general (8nf)<br/>60 dias para rotação"]
T3["🟠 EXPIRA 2026-05-09<br/>MSAL Prod hint (ew5)<br/>72 dias para rotação"]
T4["🟡 EXPIRA 2028<br/>DEV/PRD APEX secrets<br/>700+ dias (monitor)"]
T5["🟡 EXPIRADOS 2024<br/>AWS credentials<br/>Rotate for audit trail"]
end
subgraph "BLAST RADIUS - SYSTEMS AFFECTED"
S1["🔓 Git Repository Access<br/>Affects: 6 repos<br/>Impact: Source code exposure"]
S2["🔓 Azure AD Tenant<br/>Affects: 344 apps<br/>Impact: Complete org compromise"]
S3["🔓 Azure DevOps Organization<br/>Affects: Code, Build, Release<br/>Impact: CI/CD pipeline"]
S4["🔓 AWS Infrastructure<br/>Affects: 3 accounts + RDS<br/>Impact: Infrastructure access"]
S5["🔓 Medical Data Pipeline<br/>Affects: Patient workflows<br/>Impact: LGPD/HIPAA violation"]
S6["🔓 Enterprise Systems<br/>Affects: CRM, ServiceNow, APEX<br/>Impact: Business logic"]
end
G1 --> S1
G1 --> S5
G2 --> S1
G2 --> S4
G3 --> S2
A1 --> S3
A2 --> S3
A3 --> S2
A4 --> S2
A5 --> S6
T1 -.->|"URGENT"| A5
T2 -.->|"URGENT"| A5
T3 -.->|"URGENT"| A5
style T1 fill:#ff0000,color:#fff,stroke:#8b0000,stroke-width:3px
style T2 fill:#ff3333,color:#fff,stroke:#8b0000,stroke-width:3px
style T3 fill:#ff6666,color:#fff,stroke:#cc0000,stroke-width:2px
style S1 fill:#ffcccc,color:#000
style S2 fill:#ffcccc,color:#000
style S3 fill:#ffcccc,color:#000
style S4 fill:#ffcccc,color:#000
style S5 fill:#ffcccc,color:#000
style S6 fill:#ffcccc,color:#000
Detalhamento de Cada Secret
1. TOKEN_SECRET - JWT Simétrica
Valor: 569825f342fae7cae51f7c55fcc805c6cec4e2cb7b1535e5344266d332911977
Tipo: Symmetric encryption key (256-bit)
Encontrado em:
- portal-de-relacionamento-backend (commit: unknown)
- gestao-de-identidade-serverless (commit: unknown)
Acesso:
- JWT validation/signing
- Internal API authentication
- AWS Account 282525845483
- AWS Account 485245438221
Status: DUPLICADO EM 2 REPOS = CRÍTICA
Ação: Invalidar TODOS os JWTs gerados com esta chave + rotate
2. MSAL Dev ClientSecret
Valor: Qjc8Q~qh5ILbrPG71r35Y2U9M53nNMFZSyGi.aOb
AppID: cc06aa03 (Portal-Dev)
Tipo: Azure AD Client Secret (Microsoft format)
Encontrado em: portal-de-relacionamento-backend git history
Ativo: SIM (não foi revogado!)
Acesso:
- Microsoft Graph API
- Application.ReadWrite.All (pode ler/modificar 344 apps!)
- Token as other service principals
- Add passwords to prod apps
Status: COMPROMETIDA - PRIMARY ATTACK VECTOR
Ação: REVOKE IMEDIATAMENTE + delete app ou rotate com novo secret
3. MSAL Prod ClientSecret
Valor: IA_8Q~... (novo)
AppID: 4e5a672f (Portal-Prod)
Tipo: Azure AD Client Secret
Encontrado em: CRIADA DURANTE AUDIT (não foi descoberta em git)
Ativo: SIM (novo secret foi adicionado!)
Acesso:
- Production portal authentication
- GraphAPI access
Status: NOVO - Possível resposta a incidente OU novo ataque
Ação: AUDIT quem criou + REVOKE imediatamente
4. MySQL RDS Dev Credentials
Conexão: mysql://dev_admin:sShk9PkdQ35BRilDH0ukREDEDOR@gestao-identidade-dev.cf04evbxtqfl.sa-east-1.rds.amazonaws.com:3306
Account: 282525845483
Encontrado em: portal-de-relacionamento-backend hardcoded
Ativo: SIM (database accessibility TBD)
Acesso:
- Database de identidades
- Users, roles, permissions
- Medical workflows data
Status: ACESSÍVEL EM GIT HISTORY
Ação: FORCE ROTATE + change master password + enable encryption at rest
5. Oracle APEX Secret
Valor: iC_
AppID: 4459f6a9
Encontrado em: Azure AD app secretos
Status: EXPIRA HOJE!
Acesso:
- Oracle APEX platform
- Business logic applications
- Critical workflows
Ação: ROTATE ANTES DAS 23:59 DE HOJE! + issue new
🟠 ALTA - Rotação Urgente (24-48h)
6. Swagger BasicAuth
User: S7W1vzE4Xx5scLY1GsKf
Pass: $t7N0<\33Ts8
Encontrado em: portal-de-relacionamiento-backend git history
Acesso: Portal internal API (bypass authentication)
Status: Hardcoded em múltiplos lugares
Ação: Revoke + update Swagger config + rotate creds
7. CRM Password
Password: 503743dE2c124255A395Db53b8757793
Sistema: Dynamics 365 CRM
Encontrado em: portal-de-relacionamiento-backend
Acesso: Customer relationship management + business data
Status: Plaintext em git
Ação: Change CRM admin password + audit access logs
8. AWS Cognito Secret
Secret: 59r3tknurueajmegi8dme43c9ef9hirfvjg6cdtpb12r7uj4dav
Encontrado em: gestao-de-identidade-serverless git history
Acesso: User pool authentication + user management
Status: Ativo em código
Ação: Rotate in Cognito console + update apps
9. ServiceNow Secrets (2x)
Secret 1: y}57}QL)T
Secret 2: 0TykR59NL]!X84T<
Encontrado em: gestao-de-identidade-serverless
Acesso: ServiceNow ticketing + ITSM workflows
Status: Múltiplos endpoints comprometidos
Ação: Change BOTH secrets in ServiceNow + audit integrations
10. APEX DEV/PRD Secrets
DEV_APEX: DDc (exp 2028)
PRD_APEX: YP8 (exp 2028)
id_secret_general: 8nf (exp 2026-03)
Encontrado em: Azure AD app secrets
Acesso: Oracle APEX business applications
Status: 7 secrets totais no app, 3 expiram em breve
Ação: Force rotate todos + implement 90-day policy
🟡 EXPIRADAS - Análise de Impacto Histórico
11. AWS Credentials (Expirados)
ASIAUDR62I7VSFR2BZ4F (Account 282525845483) - EXPIRADO
ASIAXB6XBZEG7RE64OW4 (Account 485245438221) - EXPIRADO
Tipo: STS temporary credentials
Impacto histórico:
- Indicam acesso anterior a production
- CloudTrail deve ter logs de uso
Ação:
- Audit CloudTrail para período de validade
- Verify if new credentials were issued
- Check for privilege escalation
Grafo de Dependências - What Breaks if Rotated
graph TB
TOKEN_SEC["TOKEN_SECRET<br/>IMPACT: ALTA"]
MSAL_DEV["MSAL Dev Secret<br/>IMPACT: CRÍTICA"]
RDS_CREDS["RDS Credentials<br/>IMPACT: CRÍTICA"]
subgraph "SE ROTACIONAR TOKEN_SECRET"
T1["❌ JWT validation quebra"]
T2["❌ Todas as apps que usam JWT falham"]
T3["❌ AWS Lambda functions falham"]
T4["❌ Reque rebuild + deploy de 3 repos"]
end
subgraph "SE ROTACIONAR MSAL_DEV"
M1["✅ Portal Dev para de funcionar"]
M2["✅ Impossível mais enumerar apps"]
M3["✅ MSAL Prod fica seguro"]
M4["⚠️ Precisa novo secret em CI/CD"]
end
subgraph "SE ROTACIONAR RDS_CREDS"
R1["❌ gestao-identidade services falham"]
R2["❌ portal-backend services falham"]
R3["❌ User authentication quebra"]
R4["❌ Requer coordenado deployment"]
end
TOKEN_SEC --> T1 --> T2 --> T3 --> T4
MSAL_DEV --> M1 --> M2 --> M3 --> M4
RDS_CREDS --> R1 --> R2 --> R3 --> R4
style TOKEN_SEC fill:#ff3333,color:#fff
style MSAL_DEV fill:#ff3333,color:#fff
style RDS_CREDS fill:#ff3333,color:#fff
style T4 fill:#ffcccc
style M4 fill:#ccffcc
style R4 fill:#ffcccc
Priorização de Rotação
| Ordem |
Secret |
Severidade |
Timeline |
Dependências |
| 1 |
Oracle APEX (iC_) |
🔴 CRÍTICA |
HOJE |
Nenhuma (novo secret já prep?) |
| 2 |
MSAL Dev (Qjc8Q~) |
🔴 CRÍTICA |
HOJE |
Nenhuma (pode disablear app) |
| 3 |
MSAL Prod (IA_8Q~) |
🔴 CRÍTICA |
24h |
Precisa novo secret em CI/CD |
| 4 |
TOKEN_SECRET |
🔴 CRÍTICA |
24h |
Rebuild 3 repos + coordenado deploy |
| 5 |
RDS Dev Creds |
🔴 CRÍTICA |
48h |
Coordenar com Ops + apps |
| 6 |
Swagger BasicAuth |
🟠 ALTA |
48h |
Update Swagger config |
| 7 |
ServiceNow Secrets |
🟠 ALTA |
48h |
Notify integrations |
| 8 |
CRM Password |
🟠 ALTA |
72h |
Audit CRM access |
| 9 |
Cognito Secret |
🟠 ALTA |
72h |
Update app config |
| 10 |
APEX DEV/PRD |
🟠 ALTA |
7 dias |
Prepare new secrets |
| 11 |
AWS Credentials |
🟡 MÉDIA |
30 dias |
CloudTrail audit |
Checklist de Rotação
## HOJE
- [ ] Rotate Oracle APEX secret (iC_) - EXP em horas!
- [ ] REVOKE MSAL Dev ClientSecret (Qjc8Q~)
- [ ] Disable Portal-Dev Azure AD app
- [ ] Audit who created MSAL Prod new secret (IA_8Q~)
## 24h
- [ ] Revoke PAT Token Azure DevOps
- [ ] Revoke/Rotate MSAL Prod secret (IA_8Q~)
- [ ] Begin TOKEN_SECRET rotation planning
- [ ] Scan complete git history with TruffleHog
## 48h
- [ ] Rotate RDS Dev password (force reconnect apps)
- [ ] Rotate Swagger BasicAuth credentials
- [ ] Change ServiceNow integration secrets
- [ ] Force redeploy affected services
## 72h
- [ ] Change CRM admin password
- [ ] Rotate Cognito client secret
- [ ] Update all apps with new secrets in CI/CD
- [ ] Verify all services operational
## 1 WEEK
- [ ] Rotate remaining APEX secrets (DDc, YP8)
- [ ] Implement secret rotation policy (90 days)
- [ ] Audit CyberArk permissions (Directory.WriteAll)
- [ ] CloudTrail analysis of expired AWS credentials
## 30 DAYS
- [ ] Migrate to Azure Key Vault for ALL secrets
- [ ] Enable secret manager rotation policies
- [ ] Implement CI/CD secret scanning
- [ ] Disable legacy Azure AD apps