With the average cost of a data breach coming in at $4.45M in 2023, safeguarding sensitive information and maintaining the security of cloud environments is more critical than ever. Instances of compromised access keys, not exclusive to AWS (Amazon Web Services) but prevalent across cloud platforms, underscore the pressing need for robust security measures.
This blog takes a deep dive into an actual case of AWS access key theft, offering insights into the detailed steps taken to detect, respond to, and mitigate the breach. The article then provides best practices to avoid these types of attacks, some data points around average failure rates of AWS IAM-related controls focused on access keys, and showcases the power of Qualys TotalCloud to secure against these types of misconfigurations.
Access keys are essential credentials used for programmatic interactions with AWS services. They consist of an access key ID and a secret access key, which must be used together to authenticate requests.
The access key ID is a unique identifier, while the secret access key is a password-like string used to sign requests. Losing a secret access key necessitates revoking the key and creating a new one.
A security alert flagged an AWS user account breach initiated by an unfamiliar Kali Linux user agent – specifically aws-cli/1.22.34 Python/3.9.11 Linux/5.15.0-kali3-amd64 botocore/1.27.84. The subsequent investigation uncovered three denied AWS API calls, including an intriguingGetSendQuota, all originating from the same access key but with different user agents. This incident was quickly escalated, prompting swift remediation actions like credential resets and access key disablement.
Further examination revealed seven compromised AWS IAM accounts/access keys, all of which underwent similar remediation procedures. The unexpected twist—the compromised AWS keys were traced back to a publicly exposed Postman server with stored access key credentials.
The investigation extended to the associated IP address, revealing it was allocated to a hosting provider outside of AWS, Google, or Microsoft. Moreover, its location was atypical for the customer, adding another layer of complexity to the breach.
Unauthorized access key theft in AWS can have broad-reaching consequences, potentially impacting various AWS services.
In the above case, the attacker’s actions primarily revolved around AWS SES (Simple Email Service) with a focus on the “**GetSendQuota”**action. This kind of action offers the potential for a range of malicious activities.
The attacker also misused the “**UpdateAccountSendingEnabled”API action.**This is the action that allows users to turn email on or off across the entire Amazon SES account in the current AWS region. This action is used by legitimate users to manage their email-sending capabilities, ensuring compliance with AWS SES limits and controlling email sending for various use cases.
However, if malicious actors gain unauthorized access to an AWS SES account, they can abuse the "UpdateAccountSendingEnabled" API action in several ways:
Here are some best practices for managing access keys in cloud environments to prevent this kind of attack on an AWS environment. Note that these best practices also apply for other cloud environments, and to assist in maintaining the security of those environments, the following includes recommendations for Azure and GCP.
To illustrate the current state of access key security, the Qualys research team has conducted an in-depth analysis of the average failure rates of AWS IAM-related controls, focusing mainly on access keys.
While your environment is unique, and you should make your own assessments of which best practices to focus on first, the following graph provides a comprehensive overview of misconfigurations, enabling users to assess and address security vulnerabilities effectively.
To address the above misconfigurations and effectively secure access keys, Qualys TotalCloud offers a robust set of controls designed to implement best practices and advanced preventive measures, fortifying cloud environments like AWS against misconfigurations. As highlighted below, our security best practices cover vital areas such as IAM (Identity and Access Management), public accessibility, logging, and more. These controls are meticulously aligned with industry-wide security standards, ensuring comprehensive protection for your infrastructure. Here are a few more notable examples:
The incident described in this post is a stark reminder of the critical importance of safeguarding access keys and maintaining the security of cloud environments.
By consistently rotating keys, avoiding hardcoding, implementing multi-factor authentication, and following the principle of least privilege, you can significantly enhance the security of your cloud resources. Moreover, robust monitoring, secure key storage, and a well-prepared incident response plan are indispensable elements of a comprehensive security strategy. A solution like Qualys TotalCloud is a comprehensive way to implement these types of controls.
In today's threat landscape, these best practices are critical for maintaining the highest level of protection for your cloud infrastructure.
Start your Qualys TotalCloud experience to fortify your AWS environment against misconfigurations and take advantage of the best practices already programmed into the solution that will notify you when you need to take action to secure your access keys.