Known compromised IAM user access key







EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.




When AWS becomes aware that an IAM user access key you own was exposed—for instance on GitHub—they mark it as compromised by attaching the AWSCompromisedKeyQuarantineV2 managed policy to the affected IAM user.

Understanding Impact

Business Impact

Compromised IAM user access keys can be used to access your AWS account and perform actions on your behalf. This can lead to data leaks, data loss, and unauthorized access to your AWS resources.

Technical Impact

The AWSCompromisedKeyQuarantineV2 managed policy contains explicit Deny statements, blocking commonly abused actions such as ec2:RunInstances. However, an attacker can still perform a wide range of dangerous actions if authorized by the IAM user policy. It's critical to remediate the compromised access key as soon as possible.

Identify affected resources

You can use the following bash command to find IAM users attached to the AWSCompromisedKeyQuarantineV2 policy:

aws iam list-entities-for-policy \
  --policy-arn arn:aws:iam::aws:policy/AWSCompromisedKeyQuarantineV2 \
  --entity-filter User

In the sample response below, the user john was marked as compromised:

  "PolicyGroups": [],
  "PolicyUsers": [
      "UserName": "john",
      "UserId": "AIDA123456789"
  "PolicyRoles": []

Remediate vulnerable resources

You should consider that the IAM user has been compromised. Disable the affected access key, and review all actions that were performed using it.

You can refer to the incident playbooks in the "resources" section below for more guidance on how to handle compromised access keys.

How Datadog can help

Cloud SIEM

Datadog Cloud SIEM detects this vulnerability using the out-of-the-box rule "The AWS managed policy AWSCompromisedKeyQuarantineV2 has been attached".



aws documentation

Remediating compromised AWS credentials

aws documentation

Incident Response Playbooks - Remediating compromised AWS credentials

aws documentation

Did you find this article helpful?

Related Vulnerabilities and Threats