PDF Report Shattering the Rotation Illusion: How Quickly Leaked AWS Keys are Exploited Download Now ->
Through the Attacker’s Eyes: A New Era of NHI Security
This final installment in our blog series brings together everything we’ve uncovered about leaked AWS Access Keys—how attackers exploit them, why traditional security measures fall short, and what organizations can do to protect themselves.
Over the series, we explored real-world scenarios across various platforms: GitHub and GitLab, Package Managers, Code Sharing Platforms, developer forums, and even the Internet Archive breach and RDS credentials. These experiments laid bare the truth: secrets exposed online are a magnet for attackers, and traditional secret rotation is no match for their speed and sophistication.
In this post, we’ll look at the game through the attackers’ eyes, explore the methods and tools they use, and unveil AWSKeyLockdown—a tool we built to help enterprises neutralize these threats.
Addressing a Common Misconception - The Hidden Dangers of Quarantined Keys
It's crucial to address a misconception that could undermine the perceived impact of our research. One might argue that since platforms like GitHub automatically detect exposed AWS access keys and AWS promptly attaches the AWSCompromisedKeyQuarantineV2 policy to these keys, the potential for damage is minimal. After all, if the keys are quickly quarantined, what harm could attackers possibly inflict within such a short window?
This line of thinking, however, dangerously underestimates the capabilities of modern attackers and the residual risks associated with quarantined keys. While it's true that GitHub's secret scanning (freely available for all public repositories) alerts AWS to exposed keys—prompting an automatic quarantine—the reality is that these compromised keys remain far from harmless. Attackers can and do exploit them almost immediately upon exposure, often within minutes or even seconds.
Even with the quarantine policy in place, a significant number of permissions remain accessible to the attacker. These permissions allow for a range of malicious activities, including but not limited to:
Reconnaissance Operations: Attackers can list users, roles, policies, and access keys through IAM (iam:List*, iam:Get*), gaining invaluable insights into your AWS environment.
... continue reading