When Amazon Web Services (AWS) finds leaked credentials, it goes into principal mode and puts them into a Breakfast Club of restrictions.
While the quarantine restricts certain actions—like the listing of identities or the deleting of a role—some malicious actions are still possible. A free, open-source tool from Permiso Security called “DetentionDodger” finds those detained credentials and what threat actors can still do with them.
“Just knowing the key was quarantined is one issue, but it’s going through and saying, based on all the current permissions, what are all the naughty things that this key can still do, even with that quarantine policy applied? What are all the ways an attacker could dodge detention for this access key based on its current capabilities?” Daniel Bohannon, principal security researcher, told IT Brew. (Bohannon did not create the tool. His colleague Bleon Proko, who contacted IT Brew through email, led the development.)
Hardcoded times. Bohannon said he has seen threat actors using leaked credentials to spin up virtual machines and install Bitcoin miners; he’s also seen key thieves use the company’s large language model (LLM) service Bedrock and abuse AWS’s Simple Email Service to send spam.
“If someone compromises an account for a large organization, what if you can send emails as that organization or just send out spam using their infrastructure at their cost?” Bohannon said.
On Oct. 22, security company Symantec reported that some mobile apps had codebases featuring hardcoded credentials for various cloud services.
AWS spokesperson Ryan Walsh shared this company statement: “The Key Quarantine policy is working as designed, which is to restrict high risk actions that could result in fraud related financial loss, but it is not a security tool. While a customer could theoretically ‘deny all’ functions, that would likely negatively impact their production environment. That's why we provide customers with additional layers of security guidance and resources to help guard against malicious activity.”
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
AWS provides advice regarding what to do when a key appears to be leaked. The company’s quarantine restrictions, Permiso noted in a blog post, deny access to plenty of disruptive privileges like creating and attaching policies, creating access keys, changing passwords, or impacting data inside S3 buckets.
Bohannon shared actions that are still possible with a quarantined link. An attacker could send arbitrary commands to up-and-running EC2 instances (using ssm:SendCommand), for example, or use another to disable log forwarding.
Go directly to quarantine. DetentionDodger, Bohannon and its creator claim, checks for combinations of actions not prevented by the quarantine that an attacker can still conduct for malicious purposes.
Perhaps more important than knowing what can be done is knowing your exposed keys in the first place.
“For any organization, I can immediately know: Do any of my users have leaked access keys, leaked in such a way that AWS found it and applied this quarantine policy? Now that’s already a big step number one,” Bohannon said. He advised those caught with leaked keys to disable and replace them, and to investigate if suspicious activity occurred around the date of the quarantine.
Quarantined keys currently are denied from performing 89 actions.
“You can do a lot of damage and other services that just aren’t listed here,” Bohannon said.
Update 11/26/24: This story was updated to more accurately reflect Amazon’s position.