Skip to main content

Quarantine was applied to possibly compromised AWS credentials

ID:aws_compromised_key_quarantine
Data type:AWS CloudTrail
Severity:
High
MITRE ATT&CK:TA0001:T1078.004

Description

AlphaSOC discovered an AWS IAM user with the AWSCompromisedKeyQuarantine or AWSCompromisedKeyQuarantineV2 policy attached to their account. This policy is automatically applied by AWS when it suspects that the user's access keys have been compromised. This finding indicates that an unauthorized party may have gained access to the user's AWS credentials, putting the entire AWS environment at risk.

Impact

A threat actor can use compromised IAM credentials to perform various malicious activities, including data exfiltration, resource manipulation, and launching additional attacks within the AWS environment.

Severity

SeverityCondition
High
AWSCompromisedKeyQuarantine or AWSCompromisedKeyQuarantineV2 policy detected

Investigation and Remediation

Determine what resources these credentials have access to. Invalidate the credentials so that they can no longer be used to access your account. Immediately investigate the affected IAM user's recent activity, including API calls, resource access, and any changes to the AWS environment. If the compromise is confirmed, rotate all credentials, update the user's privileges, and consider implementing additional security measures.

Known False Positives

  • Automated scripts or applications using IAM user credentials can trigger the policy if their behavior appears suspicious - AlphaSOC distinguishes legitimate threats from such cases
  • Testing or security exercises conducted by the organization's security team might trigger this alert

Further Reading