Account compromise attacks due to leaked access keys are typically remediated by deleting the compromised access keys. This is not sufficient as the attacker can create a covert channel to perform malicious activity using temporary security credentials. We describe this attack in detail and provide security best practices for remediation in part 1 of this blog.
Moreover, the attacker can use privilege escalation, as described in our first episode RedTalk: Privilege Escalation Through IAM Instance Profile Role, to continue performing malicious activity. To remediate this, all instances created/started using the compromised user’s credentials (either access key or temporary security tokens associated with the user), should be deleted.
The RedLock Cloud Security Intelligence (CSI) team highly recommends that you invest in forensic tools that provide features such for user attribution of events and timelines of actions performed by a user such starting/stopping EC2 instances, attaching roles to instances, and other best practices.
Get the NEW Cloud Security Trends - May 2018 - Anniversary Edition
This edition of RedLock’s Cloud Security Trends marks the report’s one year anniversary, and it’s been a sobering year in terms of public cloud breaches, disclosures and attacks. Download the latest Cloud Security Trends - May 2018 report to get 14 tips to fortify your public cloud environment.