Skip to main content

AWS Compromised Credentials

This article is the immediate response, it was created to minimise our window of exposure

Steps for a leaked credentials

1) Login into our AWS Management Console

2) Go to Services -> IAM and search for the user with credentials leaked (TIP You can search either by Access Keys or by Username). In case you prefer using the CLI:

aws iam list-users --output json --query 'Users[?contains(UserName, `testAlejandro`)  == `true`]'

3) Within the User, click in “Delete user” button (top right corner). If you prefer to use the CLI you’ll have to delete dependencies (Access Keys, Groups, etc), an example can be found here.

4) If the service team is known we should notify them via their slack channel (and @ the specific user). If the service team isn’t known message should be sent privately on Slack.

Getting new credentials

Most of the users and keys are created through terraform, the process to recreate them are here

Audit the compromised credentials

Check CloudTrail for any activity of the credentials after it got exposed. This can be done by logging into AWS Management Console Go to Services -> CloudTrail -> Event history and filter by AWS access key

This page was last reviewed on 23 February 2024. It needs to be reviewed again on 23 August 2024 by the page owner #cloud-platform .
This page was set to be reviewed before 23 August 2024 by the page owner #cloud-platform. This might mean the content is out of date.