What to do if you inadvertently expose an AWS Access Key or STS token ?

AWS IAM keys can be exposed by mistake, by automation and also intentionally. Another possibility is exposure of STS token i.e. short term/temporary credentials for an AWS account. Temporary credentials can be valid up to 12 hours.

STS token access key always starts with “AKIA”.

Organizations need to pro-actively remediate these incidents in most effective way. On other hand, AWS also detect these exposed IAM keys in public git repos and send email to account DL.

Steps to follow :

  1. Check your cloudtrail logs → Filter logs with AWS access key ID or STS token. Use Athena or SIEM tool to query access key usage/traces and also determine level of access.

Ponder over below questions after issue containment:-

  • Why it happened ? → Find out the reason. E.g.:- Was it intentional/ disgruntled employee or by mistake. Can we harden our security controls in place.

As per best security practices-> Always enable AWS cloudtrail (multi-trail AWS Org level), AWS Config, Guardduty and VPC flow logs — and store logs in centralized S3 location.

AWS Cloudtrail → Stores all API activities in your AWS account.

AWS Config → It’s AWS configuration recorder. Stores all information related to resources and timelines with change history.

Guardduty → Logs can be analyzed to see if any resource is compromised or connected to malacious URL.

VPC Flow logs → You can enable flow-logs at VPC level and collect/analyze traffic pattern using 3rd party / ELK stack during this compromise to assess all aspects. E.g — any anomalies or connectivity from cloud to on-premises env.

Additional Measures :-

  • RCA (Root cause analysis) of this incident and document it.

it’s important to deep dive/analyze all AWS logs during such incidents to rule out all possible signs of compromise E.g. → Cross account IAM role, EBS/RDS snapshots or sharing with 3rd party accounts, S3 access logs etc.

Incident Response Playbook from AWS (Compromised IAM Credentials) https://github.com/aws-samples/aws-customer-playbook-framework/blob/main/docs/Compromised_IAM_Credentials.md

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store