By using AWS re:Post, you agree to the Terms of Use
/AWS Exposed Keys Alerts/

AWS Exposed Keys Alerts


AWS has a mechanism that detects exposed/compromised AWS API keys found in public github repos.

I have seen several areas in which AWS or third parties will state that a PutUserPolicy action will be initiated if this occurs and a policy called AWSExposedCredentialPolicy_DO_NOT_REMOVE will be applied to the user.

Places this policy comes up include:

However, I took the liberty of exposing a static AWS API user key in a public repo (the key had no permissions). Here's what actually happened:

  1. The action taken was AttachUserPolicy.
  2. The policy was a managed policy: AWSCompromisedKeyQuarantineV2.

So whats accurate? When if ever will AWSExposedCredentialPolicy_DO_NOT_REMOVE occur? If AWSExposedCredentialPolicy_DO_NOT_REMOVE doesn't occur, why do these researchers believe this and why can't AWS update their information?

1 Answers


I am not actually 100% sure why these IAM policies have different names (AWSExposedCredentialPolicy_DO_NOT_REMOVE and AWSCompromisedKeyQuarantineV2), but looking at the contents of both it is safe to say that V2 has a lot more deny permissions under it.

Contents of the AWSExposedCredentialPolicy_DO_NOT_REMOVE can be found here:

AWSCompromisedKeyQuarantineV2 has the following permissions:

    "Version": "2012-10-17",
    "Statement": [
            "Effect": "Deny",
            "Action": [
            "Resource": [

This leads me to think V2 is just that, perhaps just an updated version? The AWS blogs, documentation and articles are not 100% accurate, there are always bugs, false statements, or incomplete sentences I have found and reported over the years.

BTW, there is also a managed policy under the name "AWSCompromisedKeyQuarantine" (without the V2, which looks very similar to the contents of the AWSExposedCredentialPolicy_DO_NOT_REMOVE policy you mentioned).

Hope this helps.

answered 12 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions