Exposed AWS Access Keys

1. Determine what resources those credentials have access to.

• If the credentials allow read and write access to sensitive data, you might wish to disable access promptly.

• If the credentials only allow read access to data you intended to make public, you might choose to create new credentials first, transition to these new credentials, and then disable the old credentials.

2. Invalidate the credentials so they can no longer be used to access your account.

• AWS recommend disabling credentials as a first step instead of deleting them, because disabled credentials can be restored if needed.

3. Consider invalidating any temporary security credentials that might have been issued using the credentials.

• If you want to promptly invalidate any temporary security credentials that might have been issued by using the exposed credentials, and not simply wait for them to expire at the end of their lifetime: attach a “deny all” policy to the IAM user and keep the policy in place for 36 hours (the maximum lifespan for temporary credentials).

4. Restore appropriate access.

• If you deleted an IAM user, create a new one with a new access key.

• Instead of using a long-lived AWS credential like the access key for an IAM user, consider using IAM roles or federation.

5. Review access to your AWS account.

• Review all available S3 bucket logs and AWS CloudTrail logs to understand what actions might have been performed on your AWS resources.