🔐
AWS SCS-C01
  • Practice Test Scores
  • Domain 1 - Incident Response
    • Incident Response
    • Exposed AWS Access Keys
    • Compromised EC2 Instance
    • How do you report abuse of AWS resources?
    • GuardDuty
    • Penetration Testing
  • Domain 2 - Logging & Monitoring
    • Some Basics
    • Inspector
    • Security Hub
    • AWS WAF
    • Systems Manager
    • Systems Manager Features
    • CloudWatch Logs
    • Athena
    • CloudTrail
    • Config
    • Trusted Advisor
    • CloudTrail Log File Integrity
    • Macie
    • S3 Event Notifications
    • VPC Flow Logs
    • Centralized Logging Architecture
  • Domain 3 - Infrastructure Security
    • Bastion Hosts
    • Site-to-Site VPN
    • VPC Peering
    • VPC Endpoints
    • Network ACL
    • Firewall vs IPS vs IDS
    • EBS
    • CloudFront
    • Shield
    • Mitigating DDoS Attacks
    • EC2 Key Pair Troubleshooting
    • EC2 Tenancy
    • Artifact
    • Lambda@Edge
    • Simple Email Service (SES)
    • DNS Support in VPC
  • Domain 4 - Identity & Access Management
    • Organizations
    • IAM Policy Evaluation Logic
    • Understanding IAM Policies
    • IAM Tutorial: Delegate access across AWS accounts using IAM roles
    • External ID
    • iptables
    • IAM policy elements: Version
    • IAM policy elements: Variables and tags
    • Policy elements: Principal and NotPrincipal
    • IAM policy elements: Condition
    • Security Token Service (STS)
    • Identity federation in AWS
    • Enabling SAML for your AWS resources
    • Single Sign-On
    • Cognito
    • Directory Service
    • Trusts in Active Directory
    • Example S3 Bucket Policies
    • Cross-account access to S3 buckets using Resource-based policies and IAM policies
    • S3 Access Control Lists (ACLs)
    • Presigned URLs
    • S3 Versioning
    • S3 Cross-Region Replication (CRR)
    • S3 Object Lock
    • Configuring MFA-protected API access
    • IAM Permission Boundaries
  • Domain 5 - Data Protection
  • CloudHSM
  • Key Management Service (KMS)
  • Symmetric CMKs vs Asymmetric CMKs
  • Data Key Caching
  • Deleting KMS CMKs
  • Default KMS Key Policy
  • Managing access to KMS CMKs
  • KMS CMK Key Types
  • Rotating KMS CMKs
  • Example Key Policies for KMS Questions
  • KMS Grants
  • KMS CLI Commands
  • Importing key material in KMS
  • KMS Condition Keys
  • Migrating Encrypted KMS Data Across Regions
  • KMS Encryption Context
  • CloudHSM vs KMS
  • S3 Data Encryption
  • Application Load Balancer (ALB)
  • ELB Listeners Part 1
  • ELB Listeners Part 2
  • AWS Certificate Manager (ACM)
  • Glacier
  • DynamoDB Encryption
  • AWS Secrets Manager
  • Summaries
    • Domain 1
    • Domain 2
    • Domain 3
    • Domain 4
    • Domain 5
Powered by GitBook
On this page
  • 1. Determine what resources those credentials have access to.
  • 2. Invalidate the credentials so they can no longer be used to access your account.
  • 3. Consider invalidating any temporary security credentials that might have been issued using the credentials.
  • 4. Restore appropriate access.
  • 5. Review access to your AWS account.

Was this helpful?

  1. Domain 1 - Incident Response

Exposed AWS Access Keys

1. Determine what resources those credentials have access to.

  • If the credentials allow read and write access to sensitive data, you might wish to disable access promptly.

  • If the credentials only allow read access to data you intended to make public, you might choose to create new credentials first, transition to these new credentials, and then disable the old credentials.

2. Invalidate the credentials so they can no longer be used to access your account.

  • AWS recommend disabling credentials as a first step instead of deleting them, because disabled credentials can be restored if needed.

3. Consider invalidating any temporary security credentials that might have been issued using the credentials.

  • If you want to promptly invalidate any temporary security credentials that might have been issued by using the exposed credentials, and not simply wait for them to expire at the end of their lifetime: attach a “deny all” policy to the IAM user and keep the policy in place for 36 hours (the maximum lifespan for temporary credentials).

4. Restore appropriate access.

  • If you deleted an IAM user, create a new one with a new access key.

  • Instead of using a long-lived AWS credential like the access key for an IAM user, consider using IAM roles or federation.

5. Review access to your AWS account.

  • Review all available S3 bucket logs and AWS CloudTrail logs to understand what actions might have been performed on your AWS resources.

PreviousIncident ResponseNextCompromised EC2 Instance

Last updated 4 years ago

Was this helpful?