How AWS responds to exposed credentials and how you can protect your account

5 minute read

Content level: Intermediate

When AWS becomes aware of exposed or potentially exposed customer credentials, we act swiftly to protect customer accounts while maintaining operational continuity. This article explains the automated response process, steps that AWS takes to notify affected customers, and actions that you can take to protect your account.

Understanding credential exposure

Credential exposure occurs when AWS access keys or other authentication credentials become publicly accessible. This can happen through various channels, including public code repositories, configuration files, or other publicly accessible sources. When credentials exposure occurs, unauthorized parties might gain access to your AWS resources.

AWS monitors multiple sources to identify exposed credentials and takes immediate action when there’s a potential exposure. The goal of AWS is to minimize risk to your account while avoiding disruption to your production workloads.

How AWS detects and responds to exposed credentials

Automated detection and protection

When AWS systems identify public exposure of your AWS access key, we initiate an automated response that’s designed to reduce risk while preserving your ability to operate.

Quarantine policies applied
AWS systems apply targeted quarantine policies to the exposed credentials. These policies block certain AWS Identity and Access Management (IAM) actions that might lead to unauthorized resource creation or data access. The policies also preserve your ability to manage existing resources and maintain operational continuity. With this approach, you can protect your account without entirely disabling the exposed key and disrupting your IT environments and production workloads. AWS calibrated these quarantine policies to prevent potential misuse while allowing you to continue to manager your infrastructure.

Customer notification process
Immediately after applying quarantine policies, AWS creates an outbound support case and notifies you through multiple channels:

AWS Health: You receive a notification in the AWS Health Dashboard with details about the exposed credential and recommended actions.
Email notification: AWS sends an email to the security account contact on file and provides information about the exposure and how to get assistance.
Support case: AWS automatically creates a support case and stands ready to help you delete the exposed keys and implement additional account protections.
Additional notification channels: You can configure Amazon EventBridge to capture AWS Health events related to exposed credentials or subscribe to Amazon Simple Notification Service (Amazon SNS) topics to receive notifications. These services integrate with your incident management systems so that you can automatically trigger remediation actions, create tickets, or route alerts to your preferred communication channels.

Information that AWS shares

When AWS notifies you about exposed credentials, we include the following information about the exposure:

The specific exposed access key.
The nature of the exposure if available, such as a public code repository or other sources.
The timestamp of when AWS detected and/or informed you of the exposure.
Recommended remediation steps.
Resources to help you effectively respond.

Taking action when credential exposure occurs

Immediate response steps

If you receive notification about exposed credentials, or if you suspect exposure of your credentials, then take the following actions:

Review the AWS Health Dashboard: Check the AWS Health Dashboard for any active security notifications related to your account. This dashboard provides real-time information about events that are affecting your AWS resources.
Follow the AWS remediation guide: See What to do if you inadvertently expose an AWS access key for the specific steps that you can take. These steps include how to identify resources, review unauthorized activity, rotate credentials, and update security best practices.
Contact AWS Support: AWS Support is available to help you through the remediation process. When you receive a notification about exposed credentials, AWS automatically creates a support case. You can respond to this case or contact AWS Support directly with questions or concerns about your account security.
Report security concerns: If you discover exposed credentials or other security concerns, then report them directly to AWS by emailing aws-security@amazon.com. For sensitive communications, we provide a PGP key for encrypted correspondence.

Turn on Security Incident Response

You can turn on AWS Security Incident Response, a managed service that helps you prepare for, respond to, and recover from security events such as exposed credentials. Security Incident Response provides automated investigation and containment capabilities and 24/7 access to AWS security experts that can guide you through complex incidents. You also gain proactive monitoring that integrates with Amazon GuardDuty and AWS Security Hub to detect anomalous activity from exposed credentials.

Preventing credential exposure

AWS provides multiple services and features designed to help you avoid storing credentials in source code or other locations where exposure could occur:

AWS Secrets Manager: This service helps you manage, retrieve, and rotate database credentials, API keys, and other secrets throughout their lifecycle. By centralizing secret management, you reduce the need to hardcode credentials in your applications.
AWS Systems Manager Parameter Store: Store configuration data and secrets in a hierarchical structure with built-in version tracking and access controls.
IAM roles: Use IAM roles to grant permissions to applications that run on Amazon Elastic Compute Cloud (Amazon EC2) instances, AWS Lambda functions, and other AWS services. Roles provide temporary credentials that automatically rotate, and reduce the need to store long-term access keys.
AWS CloudTrail: Turn on CloudTrail logging to maintain a record of API calls made in your account. This audit trail helps you detect unusual activity and investigate security events.

Conclusion

As part of the AWS Shared Responsibility Model, adhere to security, identity, and compliance best practices to maintain your cloud security. If you suspect exposure of your credentials, then follow the best practices in this article. Contact AWS Support for assistance with any account security questions or concerns.

Topics: Serverless Management & Governance Compute Security, Identity, & Compliance
Tags: AWS Health AWS Identity and Access Management AWS Secrets Manager AWS CloudTrail AWS Lambda
Language: English

AWS OFFICIALUpdated 17 days ago288 views

No comments

Relevant content

Reduce your security risk with AWS Trusted Advisor exposed access keys recommendation
EXPERT
Manas
published 3 years ago
My EC2 Instance ID Got Exposed - Is This a Security Issue?
EXPERT
Purnaresa Y
published 8 months ago
My AWS Account ID Got Leaked - Should I Panic?
EXPERT
Purnaresa Y
published 8 months ago
How to securely handle credentials in QuickSight URLs without exposing them to end users?
Dunja
asked 8 months ago
How to expose custom api gateway websocket url from cdk to frontend
Lucas
asked 2 years ago
How can I use a Synthetic Canary with a Lambda which is protected by MSAL?
Mick B
asked 2 years ago
How can I confirm that my AWS infrastructure is GDPR-compliant?
AWS OFFICIALUpdated 3 years ago
How do I recover a lost or forgotten AWS password?
AWS OFFICIALUpdated 2 years ago
How do I sign in to my AWS account if my credentials don't work?
AWS OFFICIALUpdated 7 months ago
How do I make sure that the email that I received is actually from Amazon?
AWS OFFICIALUpdated 4 years ago