Remediating potentially compromised AWS credentials - Amazon GuardDuty

Remediating potentially compromised AWS credentials

When GuardDuty generates IAM finding types, it indicates that your AWS credentials have been compromised. The potentially compromised Resource type is AccessKey.

To remediate potentially compromised credentials in your AWS environment, perform the following steps:

  1. Identify the potentially compromised IAM entity and the API call used.

    The API call used will be listed as API in the finding details. The IAM entity (either an IAM role or user) and its identifying information will be listed in the Resource section of the finding details. The type of IAM entity involved can be determined by the User Type field, the name of the IAM entity will be in the User name field. The type of IAM entity involved in the finding can also be determined by the Access key ID used.

    For keys beginning with AKIA:

    This type of key is a long term customer-managed credential associated with an IAM user or AWS account root user. For information about managing access keys for IAM users, see Managing access keys for IAM users.

    For keys beginning with ASIA:

    This type of key is a short term temporary credential generated by AWS Security Token Service. These keys exists for only a short time and cannot be viewed or managed in the AWS Management Console. IAM roles will always use AWS STS credentials, but they can also be generated for IAM Users, for more information on AWS STS see IAM: Temporary security credentials.

    If a role was used the User name field will indicate the name of the role used. You can determine how the key was requested with AWS CloudTrail by examining the sessionIssuer element of the CloudTrail log entry, for more information see IAM and AWS STS information in CloudTrail.

  2. Review permissions for the IAM entity.

    Open the IAM console. Depending on the type of the entity used, choose the Users or Roles tab, and locate the affected entity by typing the identified name into the search field. Use the Permission and Access Advisor tabs to review effective permissions for that entity.

  3. Determine whether the IAM entity credentials were used legitimately.

    Contact the user of the credentials to determine if the activity was intentional.

    For example, find out if the user did the following:

    • Invoked the API operation that was listed in the GuardDuty finding

    • Invoked the API operation at the time that is listed in the GuardDuty finding

    • Invoked the API operation from the IP address that is listed in the GuardDuty finding

If this activity is a legitimate use of the AWS credentials, you can ignore the GuardDuty finding. The https://console.aws.amazon.com/guardduty/ console allows you to set up rules to entirely suppress individual findings so that they no longer appear. For more information, see Suppression rules in GuardDuty.

If you can't confirm if this activity is a legitimate use, it could be the result of a compromise to the particular access key - the IAM user's sign-in credentials, or possibly the entire AWS account. If you suspect your credentials have been compromised, review the information in the My AWS account may be compromised article to remediate this issue.