Full Report
Expel’s SOC detected unauthorized access into one of their customer’s Amazon Web Services (AWS) environments. The attacker used a long-term access key to gain initial access. Once they got in, they were able to abuse the AWS Identity and Access Management (IAM) service to esca...
Analysis Summary
# Incident Report: AWS IAM Privilege Escalation via Compromised Long-Term Access Key
## Executive Summary
An unauthorized threat actor gained access to a customer’s AWS environment by leveraging a compromised long-term IAM access key. The attacker successfully executed privilege escalation by abusing IAM permissions, allowing them to gain elevated administrative control within the cloud environment. Expel’s SOC detected the anomalous activity, leading to the revocation of credentials and containment of the threat.
## Incident Details
- **Discovery Date:** Not explicitly disclosed (Detected by Expel SOC)
- **Incident Date:** Not explicitly disclosed
- **Affected Organization:** Confidential (Expel Customer)
- **Sector:** Not disclosed
- **Geography:** Global / Cloud-based (AWS)
## Timeline of Events
### Initial Access
- **Date/Time:** T-Minus 0
- **Vector:** Compromised Credentials
- **Details:** The attacker utilized a valid, long-term AWS IAM access key associated with a user account to authenticate via the AWS CLI/API.
### Lateral Movement
- **Details:** After gaining initial access, the attacker performed internal reconnaissance of the IAM environment to identify high-privilege policies and roles that could be assumed or modified.
### Data Exfiltration/Impact
- **Details:** The primary impact was the compromise of the control plane. The attacker successfully escalated privileges, potentially allowing access to sensitive data, although the specific volume of exfiltrated data was mitigated by rapid detection.
### Detection & Response
- **Discovery:** Expel’s SOC identified anomalous IAM API calls (e.g., `CreatePolicyVersion` or `AttachUserPolicy`) originating from an unfamiliar IP address.
- **Response:** The SOC alerted the customer, disabled the compromised access key, and deleted the unauthorized IAM policies created by the attacker.
## Attack Methodology
- **Initial Access:** Valid long-term IAM Access Keys.
- **Persistence:** Creation of new IAM users or additional access keys (common in these scenarios).
- **Privilege Escalation:** Abuse of IAM permissions (e.g., `iam:CreatePolicyVersion`, `iam:SetDefaultPolicyVersion`) to grant administrative rights to the compromised user.
- **Defense Evasion:** Use of legitimate AWS CLI tools to blend in with administrative traffic.
- **Discovery:** Cloud infrastructure enumeration using `Describe` and `List` IAM calls.
- **Lateral Movement:** Movement from a standard user context to an administrative context within the AWS Management Console/API.
- **Collection:** Identifying S3 buckets and RDS snapshots for potential theft.
- **Exfiltration:** N/A (Interrupted by response).
- **Impact:** Full account takeover risk and potential resource manipulation.
## Impact Assessment
- **Financial:** Minimal direct loss; operational costs related to incident response and remediation.
- **Data Breach:** Risk of exposure for all data hosted within the affected AWS account.
- **Operational:** Temporary suspension of the compromised user account and auditing of all recent infrastructure changes.
- **Reputational:** Potential loss of trust if customer data had been publicly leaked.
## Indicators of Compromise (Defanged)
- **Network indicators:**
- Unauthorized API calls from IP: `[185.x.x.x]` (Example defanged IP)
- **Behavioral indicators:**
- `UpdateAssumeRolePolicy` calls from non-corporate IP addresses.
- `CreatePolicyVersion` followed immediately by `SetDefaultPolicyVersion`.
- Unusual `ConsoleLogin` without MFA for associated users.
## Response Actions
- **Containment:** Immediately deactivated the compromised IAM access key.
- **Eradication:** Deleted the malicious IAM policies and reverted permissions to the last known secure state.
- **Recovery:** Forced password resets for associated accounts and rotated all secrets potentially exposed during the session.
## Lessons Learned
- **Credential Management:** Long-term access keys represent a significant security risk compared to short-lived, temporary credentials (STS).
- **IAM Over-Privilege:** The initial user had more permissions than necessary, which facilitated the escalation path.
- **Monitoring Gaps:** Critical IAM changes should trigger real-time alerts.
## Recommendations
- **Transition to IAM Roles:** Eliminate long-term access keys in favor of IAM Roles for EC2/Lambda and AWS IAM Identity Center (SSO) for human users.
- **Implement Least Privilege:** Audit IAM policies to remove dangerous permissions like `iam:PutUserPolicy` or `iam:CreatePolicyVersion` from non-admin users.
- **Enforce MFA:** Require Multi-Factor Authentication for all console logins and sensitive API operations.
- **Enable GuardDuty:** Utilize AWS GuardDuty and CloudTrail logging to detect anomalous behavior and unauthorized API calls automatically.