Quarantine was applied to possibly compromised AWS credentials
Description
AlphaSOC discovered an AWS IAM user with the AWSCompromisedKeyQuarantine
or AWSCompromisedKeyQuarantineV2
policy attached to their account. This policy is automatically applied by AWS when it suspects that the user's access keys have been compromised. This finding indicates that an unauthorized party may have gained access to the user's AWS credentials, putting the entire AWS environment at risk.
Impact
A threat actor can use compromised IAM credentials to perform various malicious activities, including data exfiltration, resource manipulation, and launching additional attacks within the AWS environment.
Severity
Severity | Condition |
---|---|
High | AWSCompromisedKeyQuarantine or AWSCompromisedKeyQuarantineV2 policy detected |
Investigation and Remediation
Determine what resources these credentials have access to. Invalidate the credentials so that they can no longer be used to access your account. Immediately investigate the affected IAM user's recent activity, including API calls, resource access, and any changes to the AWS environment. If the compromise is confirmed, rotate all credentials, update the user's privileges, and consider implementing additional security measures.
Known False Positives
- Automated scripts or applications using IAM user credentials can trigger the policy if their behavior appears suspicious - AlphaSOC distinguishes legitimate threats from such cases
- Testing or security exercises conducted by the organization's security team might trigger this alert