Remediating potentially compromised AWS credentials
When GuardDuty generates IAM finding types, it indicates that your AWS credentials have been compromised. The potentially compromised Resource type is AccessKey.
To remediate potentially compromised credentials in your AWS environment, perform the following steps:
-
Identify the potentially compromised IAM entity and the API call used.
The API call used will be listed as
API
in the finding details. The IAM entity (either an IAM role or user) and its identifying information will be listed in the Resource section of the finding details. The type of IAM entity involved can be determined by the User Type field, the name of the IAM entity will be in the User name field. The type of IAM entity involved in the finding can also be determined by the Access key ID used.- For keys beginning with
AKIA
: -
This type of key is a long term customer-managed credential associated with an IAM user or AWS account root user. For information about managing access keys for IAM users, see Managing access keys for IAM users.
- For keys beginning with
ASIA
: -
This type of key is a short term temporary credential generated by AWS Security Token Service. These keys exists for only a short time and cannot be viewed or managed in the AWS Management Console. IAM roles will always use AWS STS credentials, but they can also be generated for IAM Users, for more information on AWS STS see IAM: Temporary security credentials.
If a role was used the User name field will indicate the name of the role used. You can determine how the key was requested with AWS CloudTrail by examining the
sessionIssuer
element of the CloudTrail log entry, for more information see IAM and AWS STS information in CloudTrail.
- For keys beginning with
-
Review permissions for the IAM entity.
Open the IAM console. Depending on the type of the entity used, choose the Users or Roles tab, and locate the affected entity by typing the identified name into the search field. Use the Permission and Access Advisor tabs to review effective permissions for that entity.
-
Determine whether the IAM entity credentials were used legitimately.
Contact the user of the credentials to determine if the activity was intentional.
For example, find out if the user did the following:
-
Invoked the API operation that was listed in the GuardDuty finding
-
Invoked the API operation at the time that is listed in the GuardDuty finding
-
Invoked the API operation from the IP address that is listed in the GuardDuty finding
-
If this activity is a legitimate use of the AWS credentials, you can ignore the
GuardDuty finding. The https://console.aws.amazon.com/guardduty/
If you can't confirm if this activity is a legitimate use, it could be the result of a
compromise to the particular access key - the IAM user's sign-in credentials, or
possibly the entire AWS account. If you suspect your credentials have been
compromised, review the information in My AWS account may be compromised