Skip to main content

AWS Compromised Credentials

This article was created to minimise our window of exposure.

Steps for a leaked credentials

1) Login into our AWS Management Console.

2) Go to Services -> IAM and search for the user with the leaked credentials (TIP You can search either by Access Keys or by Username). In case you prefer using the CLI:

aws iam list-users --output json --query 'Users[?contains(UserName, `testAlejandro`)  == `true`]'

3) Within the User, click on “Delete user” button (top right corner). If you prefer to use the CLI, you’ll have to delete dependencies (Access Keys, Groups, etc), an example can be found here.

4) If the service team is known, we should notify them via their slack channel (and @ the specific user). If the service team isn’t known, messages should be sent privately on Slack.

Getting new credentials

Most of the users and keys are created through terraform, the process to recreate them are here

Audit the compromised credentials

Check CloudTrail for any activity of the credentials after it got exposed. This can be done by logging into AWS Management Console. Go to Services -> CloudTrail -> Event history and filter by AWS access key.

This page was last reviewed on 4 March 2025. It needs to be reviewed again on 4 September 2025 by the page owner #cloud-platform .
This page was set to be reviewed before 4 September 2025 by the page owner #cloud-platform. This might mean the content is out of date.