AWS Compromised Credentials
This article is the immediate response, it was created to minimise our window of exposure
Steps for a leaked credentials
1) Login into our AWS Management Console
2) Go to Services -> IAM and search for the user with credentials leaked (TIP You can search either by Access Keys or by Username). In case you prefer using the CLI:
aws iam list-users --output json --query 'Users[?contains(UserName, `testAlejandro`) == `true`]'
3) Within the User, click in “Delete user” button (top right corner). If you prefer to use the CLI you’ll have to delete dependencies (Access Keys, Groups, etc), an example can be found here.
4) If the service team is known we should notify them via their slack channel (and @ the specific user). If the service team isn’t known message should be sent privately on Slack.
Getting new credentials
Most of the users and keys are created through terraform, the process to recreate them are here
Audit the compromised credentials
Check CloudTrail for any activity of the credentials after it got exposed. This can be done by logging into AWS Management Console
Go to **Services -> CloudTrail -> Event history and filter by
AWS access key