Skip to main content

Potentially Compromised AWS Keys

This alert occurs when Lacework detects a potentially exposed AWS access key.

Why this alert is important

Access keys are one of the most common means of authentication used in AWS. A leaked access key can give any attacker access to your environment.

Why this might be just fine

There are possible scenarios that could result in false positives, including:

  • Regular key rotation: AWS keys are often rotated as a security best practice. During key rotation, old keys are disabled, and new keys are generated. This process can trigger the alert, even though it's a normal security practice.
  • Temporary IAM user actions: If a temporary IAM user performs actions that appear unusual but are legitimate, such as accessing resources from different locations or regions, it might trigger the alert.
  • Legitimate access from new locations: Legitimate users or services might access AWS resources from new or unexpected locations. This change in access patterns could be flagged as suspicious but may be legitimate.

Investigation

Use the recommendations below to investigate this alert:

  • Examine supporting evidence: Click the Events tab to review potentially suspicious activities that occurred at the time of the alert. These activities may include login attempts from unfamiliar locations, unusual user behavior, or the utilization of sensitive APIs.
  • Inspect IP addresses of suspicious logins: Refer to the What section in the Alert Details to locate the IP address. If an IP address is outside of your organization's network or is otherwise unknown, the IP address should be blocked.
  • Analyze methods used by the identities in question:
    • Click the identity name mentioned in the What section. This action filters the CloudTrail dossier to show only the activities associated with the user in question, enabling a focused analysis of the user's actions within the account.
    • If there is further evidence of suspicious activity indicating tactics such as discovery, enumeration, defense evasion, or exfiltration, it is crucial to initiate immediate remediation measures.

Resolution

Conduct the following steps to prevent any further misuse or potential privilege escalation:

  1. Determine resources that are affected by the compromised access keys.
    • If keys are permitted with read and write access, revoke them by disabling them instead of deleting them.
    • If keys are permitted with read access to already public resources, rotate access keys.
    • If keys are permitted with write access, ensure the data's integrity and see if any modification is made. In case of any modification, restore the data to the previous stage, and disable the exposed keys.
  2. Invalidate the credentials.
    • Disable root credentials
    • Disable IAM user credentials
  3. Invalidate the temporary security credentials.
  4. Restore access with new credentials.
  5. Review access to your AWS account.
    • Check the AWS account for persistent or residual access.
    • Search the CloudTrail logs to understand what actions might have been performed on your AWS resources.
    • Delete any unrecognized or unauthorized resources.