Full Report
Impacted organization discovered that long-lived AWS creds had leaked. Initially alerted to the following suspicious activity:Follow-up investigation into CloudTrail logs showed compromise of multiple IAM accounts and evidence of leakage of long-lived access keys.
Analysis Summary
# Incident Report: Long-Lived AWS Credential Leakage
## Executive Summary
An incident was triggered by alerts concerning suspicious AWS API authentication attempts originating from unusual locations and using non-standard user agents (e.g., `aws-cli/kali`). Subsequent investigation confirmed the compromise of multiple IAM accounts due to leaked long-lived access keys. The primary impact involved unauthorized access and reconnaissance activities within the AWS environment.
## Incident Details
- Discovery Date: Undisclosed (Alert generated based on suspicious activity)
- Incident Date: Undisclosed (Leakage and initial compromise occurred prior to discovery)
- Affected Organization: Undisclosed
- Sector: General (Cloud Environment Focus)
- Geography: Unknown
## Timeline of Events
### Initial Access
- Date/Time: Undisclosed
- Vector: Leaked Long-Lived AWS Access Keys
- Details: Attackers used pre-existing, compromised, long-lived AWS access keys to successfully authenticate to the AWS API.
### Lateral Movement
- Date/Time: During investigation/post-detection
- Details: The investigation confirmed compromise of *multiple* IAM accounts. Attackers attempted reconnaissance activities, specifically enumerating existing users via `CreateUser` API calls, which returned an "access denied" error, suggesting limited initial privileges or defensive restrictions.
### Data Exfiltration/Impact
- Data exfiltration scope is **Unknown** based on the provided context. The immediate impact observed was unauthorized API interaction and account reconnaissance.
### Detection & Response
- **Detection:** Initial alert triggered by suspicious AWS API activity:
1. Successful authentication from unusual locations outside the normal AWS region/network.
2. Use of suspicious user agent string, specifically `'aws-cli/kali'`.
- **Response:** Follow-up investigation initiated into CloudTrail logs, confirming widespread compromise via leaked keys and enumeration attempts. (Specific containment/eradication steps are not detailed in the source.)
## Attack Methodology
- Initial Access: **Stolen Credentials** (Leaked long-lived IAM access keys).
- Persistence: Leveraging existing, *long-lived* credentials provided inherent persistence until key revocation.
- Privilege Escalation: Not explicitly detailed, but initial attempts included `CreateUser` API call, suggesting attempts to establish new persistence or gauge permissions.
- Defense Evasion: Using standard AWS CLI tooling (indicated by the user agent), but the unusual geographic origin and user agent flag helped trigger the alert.
- Credential Access: **Leakage** of pre-existing long-lived access keys (source of leak unknown, e.g., public repository, developer workstation compromise).
- Discovery: Cloud API enumeration (specifically targeting user creation/enumeration).
- Lateral Movement: Compromise of *multiple* IAM accounts.
- Collection: Not explicitly detailed.
- Exfiltration: Not explicitly detailed.
- Impact: Unauthorized API interaction and environment reconnaissance.
## Impact Assessment
- Financial: Unknown.
- Data Breach: Unknown volume/type, but multiple IAM accounts were compromised.
- Operational: Direct operational impact based on suspicious API usage documented by alerts.
- Reputational: Unknown.
## Indicators of Compromise
- **Behavioral Indicators:**
* Successful AWS API authentication from unusual geographic locations.
* Use of user agent string indicative of external tooling/security testing platforms (`'aws-cli/kali'`).
* Attempted `CreateUser` API calls resulting in "access denied" (indicating reconnaissance).
- **Network Indicators:** (None provided/Defanged)
- **File Indicators:** (None provided)
## Response Actions
- **Containment:** Initial containment would involve immediate revocation or disabling of the identified compromised IAM access keys and associated users.
- **Eradication:** Identifying and removing any persistence mechanisms created by the attacker (e.g., newly created users or roles).
- **Recovery:** Auditing all accessed resources and restoring security posture.
## Lessons Learned
* **Danger of Long-Lived Credentials:** The incident highlights the significant risk associated with storing and using long-lived static credentials, as leakage grants immediate and sustained access until discovery.
* **Importance of Detection Engineering:** The initial alerts based on unusual geographic location and specific user agents (`aws-cli/kali`) were critical for initial detection, demonstrating the value of monitoring metadata associated with API calls.
## Recommendations
1. **Implement Temporary Credentials:** Transition aggressively away from long-lived access keys for human and application access. Utilize IAM Roles, STS AssumeRole, or short-lived session tokens everywhere possible.
2. **Strengthen Credential Hygiene:** Conduct immediate audits of all stored access keys (local files, environment variables, code repositories) to ensure no long-lived keys are exposed.
3. **Enhance Monitoring & Alerting:** Tune CloudTrail logging and alerting specifically to flag anomalous metadata, such as atypical user agents or unexpected source IPs/geographic locations communicating with the AWS control plane.