AWS Full Credentials
Service Name: Amazon Web Services
Service Description: Amazon Web Services (AWS) is a comprehensive cloud platform offering over 200 fully featured services from data centers globally, providing computing power, storage, and other functionality to help businesses scale.
Service Address: https://aws.amazon.com/
Validation Type: NHI Enriched API Auth
IP Allow list: Does not exist
Secret Access Scope: Grants programmatic access to AWS resources based on the permissions of the associated IAM user or role.
Secret Revokement URL: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_DeactivateDeleteKey
Secret Example: AKIAIOSFODNN7EXAMPLE
Suspicious Activity Investigation Instructions:
- Review CloudTrail logs for unusual API calls or resource access
- Check for unauthorized IAM users or roles created in your account
- Look for unusual resource deployments or modifications
- Monitor for unexpected data transfers out of your AWS account
- Check for changes to security group rules or IAM policies
Mitigation Instructions:
- Immediately deactivate the compromised access key in the AWS IAM console
- Navigate to IAM > Users > [Username] > Security credentials
- Find the compromised access key and click "Make inactive"
- Delete the key after ensuring no legitimate services are using it
- Create a new access key if needed with appropriate permissions
- Rotate all potentially affected secrets and passwords
- Review and restrict IAM permissions to follow the principle of least privilege