How to Deal with Exposed AWS Access Keys

We all know AWS Access Key ID and AWS Secret Access Key are literally the keys to access any AWS account. And keeping them safe and secure is your responsibility. This could happen because someone commits the keys in public repository, embedding keys directly into code. And even if you have best security policies in place chances are they can be exposed as a developer can take the keys with him while leaving the organisation. Reason could be something else as well thats another topic of discussion.

What To Do When you face this situation?

1. Determine resources which are affected with the compromised access keys

If keys have read and write access.

Revoke the keys by disabling them instead of deleting them. As you can restore the disabled keys and the same is not possible if keys are deleted. Why you ask. As any application and tool that uses the compromised access key will stop working at this point because they no longer have access to AWS resources.

If keys have read access to already public resources.

In this case follow usual access key rotation process.

1. Create new access key
2. Update all applications and tools to use the new access key
3. Change state of the compromised access key to Inactive

If keys have write access.

Insure the integrity of the data and see if any modification is made. In case of any modification restore the data to a previous stage. And disable the exposed keys.

2. Invalidate the Credentials.

As mentioned in previous step based on the situation you can disable the keys process is different for disabling root and IAM user credentials.

Disabling root credentials

1. Use your root user email address and password to sign in to the AWS Management Console Link.
2. After clicking on your account name in the navigation bar, choose My Security Credentials
3. Expand the Access keys section.
4. Disable an existing access key which is compromised by clicking on Make Inactive in Actions column.

Disabling IAM user credentials

1. Use your AWS account ID or account alias, your IAM user name, and your password to sign in to the IAM Console Link.
2. In the navigation bar on the upper right, choose your user name, and then choose My Security Credentials.
3. On the AWS IAM Credentials tab goto Access keys for CLI, SDK, & API access.
4. Disable an existing access key which is compromised by clicking on Make Inactive in Actions column.

3. Invalidate the temporary security credentials

Temporary security credentials can be issued using a AWS Access key. And Temporary credentials have a limited lifetime (anywhere from 15 minutes to 36 hours, depending on how they were obtained). And Rotating the exposed credentials will not invalidate any temporary credentials that were obtained using the exposed credentials. Deleting the IAM user solves the problem but it may affect current applications. Thus, only viable solution is to update IAM policy for the user .

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Deny",
        "Action": "*",
        "Resource": "*",
}]
}

This adds an explicit deny policy to an IAM principal.

4. Restore the access with new credentials

After deleting an IAM user, create a new one with a new access key.

Use roles or federation as they use temporary security credentials so there are no long-lived AWS credentials to protect.

5. Review access to your AWS account

1. Check the AWS account for persistent or residual access.
2. AWS CloudTrail logs to understand what actions might have been performed on your AWS resources.
3. Delete any unrecognised or unauthorised resources IAM, EC2 etc.