About
When AWS becomes aware that an IAM user access key you own was exposed—for instance on GitHub—they mark it as compromised by attaching the AWSCompromisedKeyQuarantineV2 managed policy to the affected IAM user.
Understanding Impact
Business Impact
Compromised IAM user access keys can be used to access your AWS account and perform actions on your behalf. This can lead to data leaks, data loss, and unauthorized access to your AWS resources.
Technical Impact
The AWSCompromisedKeyQuarantineV2 managed policy contains explicit Deny statements, blocking commonly abused actions such as ec2:RunInstances. However, an attacker can still perform a wide range of dangerous actions if authorized by the IAM user policy. It's critical to remediate the compromised access key as soon as possible.
Identify affected resources
You can use the following bash command to find IAM users attached to the AWSCompromisedKeyQuarantineV2 policy:
aws iam list-entities-for-policy \
--policy-arn arn:aws:iam::aws:policy/AWSCompromisedKeyQuarantineV2 \
--entity-filter User
In the sample response below, the user john was marked as compromised:
{
"PolicyGroups": [],
"PolicyUsers": [
{
"UserName": "john",
"UserId": "AIDA123456789"
}
],
"PolicyRoles": []
}
Remediate vulnerable resources
You should consider that the IAM user has been compromised. Disable the affected access key, and review all actions that were performed using it.
You can refer to the incident playbooks in the "resources" section below for more guidance on how to handle compromised access keys.
How Datadog can help
Cloud SIEM
Datadog Cloud SIEM detects this vulnerability using the out-of-the-box rule "The AWS managed policy AWSCompromisedKeyQuarantineV2 has been attached".
References
AWSCompromisedKeyQuarantineV2
aws documentation
Remediating compromised AWS credentials
aws documentation
Incident Response Playbooks - Remediating compromised AWS credentials
aws documentation