Skip to main content

Quarantine self applied to AWS credentials

Data type:AWS CloudTrail
MITRE ATT&CK:TA0001:T1078.004


AlphaSOC discovered an AWS IAM user with the AWSCompromisedKeyQuarantine or AWSCompromisedKeyQuarantineV2 policy attached to their account. This policy is automatically applied by AWS when it suspects that the user's access keys have been compromised. This finding indicates that an unauthorized party may have gained access to the user's AWS credentials, putting the entire AWS environment at risk.


A threat actor can use compromised IAM credentials to perform various malicious activities, including data exfiltration, resource manipulation, and launching additional attacks within the AWS environment.


Quarantine applied to an IAM user manually
Quarantine applied to an IAM user by AWS

Investigation and Remediation

Determine what resources these credentials have access to. Invalidate the credentials so that they can no longer be used to access your account. Immediately investigate the affected IAM user's recent activity, including API calls, resource access, and any changes to the AWS environment. If the compromise is confirmed, rotate all credentials, update the user's privileges, and consider implementing additional security measures.

Further Reading