Skip to main content

Potentially Compromised AWS Keys

This alert occurs when Lacework detects a potentially exposed AWS access key.

Why this Alert is Important

Access keys are one of the most common means of authentication used in AWS. A leaked access key can give any attacker access to your environment.

Investigation

Search through your AWS CloudTrail Event History for any suspicious events in the last 90 days, such as new IAM users created or new access keys generated.

Resolution

Conduct the following steps to prevent any further misuse or potential privilege escalation:

  1. Determine resources that are affected by the compromised access keys.
    • If keys are permitted with read and write access, revoke them by disabling them instead of deleting them.
    • If keys are permitted with read access to already public resources, rotate access keys.
    • If keys are permitted with write access, ensure the data's integrity and see if any modification is made. In case of any modification, restore the data to the previous stage, and disable the exposed keys.
  2. Invalidate the credentials.
    • Disable root credentials
    • Disable IAM user credentials
  3. Invalidate the temporary security credentials.
  4. Restore access with new credentials.
  5. Review access to your AWS account.
    • Check the AWS account for persistent or residual access.
    • Search AWS CloudTrail logs to understand what actions might have been performed on your AWS resources.
    • Delete any unrecognized or unauthorized resources.