Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for IAM Users with Compromised Credentials

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Very High (act today)

Check for Amazon IAM users with the "AWSCompromisedKeyQuarantine", "AWSCompromisedKeyQuarantineV2", and/or "AWSCompromisedKeyQuarantineV3" managed policies in order to identify IAM users with compromised or exposed credentials within your AWS cloud account. These AWS-managed policies are used by the AWS security team to restrict access to IAM user access keys that are suspected of being compromised.

Security

Compromised IAM user access keys can provide unauthorized access to your AWS cloud account, which may result in data breaches, data loss, and other serious security issues. When AWS identifies a potentially exposed IAM user access key (e.g., through scans of public repositories like GitHub) it flags the key as compromised and applies the "AWSCompromisedKeyQuarantine" policy to the impacted IAM user. This quarantine process is designed to prevent unauthorized access and reduce the risk of potential harm.

Audit

To identify Amazon IAM users with compromised credentials by checking for the presence of "AWSCompromisedKeyQuarantine" managed policies, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Identity and Access Management (IAM) console available at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, under Access management, choose Users.

04 Click on the name (link) of the IAM user that you want to examine.

05 Select the Permissions tab to view the IAM policies attached to the selected user.

06 In the Permissions policies section, perform the following actions:

  1. For Filter by Type, select AWS managed to list all the AWS-managed policies attached to the selected IAM user.
  2. Type AWSCompromisedKeyQuarantine in the Search box and press Enter.

07 If the filtering process in the previous step identifies one or more AWSCompromisedKeyQuarantine, (AWSCompromisedKeyQuarantine, AWSCompromisedKeyQuarantineV2, and/or AWSCompromisedKeyQuarantineV3), the access keys used by the selected Amazon IAM user have been compromised or exposed publicly.

08 Repeat steps no. 4 – 7 for each Amazon IAM user available within your AWS cloud account.

Using AWS CLI

01 Run list-entities-for-policy command (OSX/Linux/UNIX) with custom output filters to list the name of each Amazon IAM user configured with the AWSCompromisedKeyQuarantine policy, available within your AWS cloud account: 

aws iam list-entities-for-policy
	--policy-arn arn:aws:iam::aws:policy/AWSCompromisedKeyQuarantine
	--entity-filter User
	--output table
	--query 'PolicyUsers[*].UserName'

02 The command output should return a table with the requested IAM user identifier(s): 

---------------------------
|  ListEntitiesForPolicy  |
+-------------------------+
|  cc-project5-developer  |
+-------------------------+

If the list-entities-for-policy command output returns a table with one or more IAM user names, as shown in the example above, the access keys used by those Amazon IAM users have been compromised or exposed publicly.

03 Run list-entities-for-policy command (OSX/Linux/UNIX) with custom output filters to list the name of each Amazon IAM user configured with the AWSCompromisedKeyQuarantineV2 managed policy, available in your AWS account: 

aws iam list-entities-for-policy
	--policy-arn arn:aws:iam::aws:policy/AWSCompromisedKeyQuarantineV2
	--entity-filter User
	--output table
	--query 'PolicyUsers[*].UserName'

04 The command output should return a table with the requested IAM user identifier(s): 

---------------------------
|  ListEntitiesForPolicy  |
+-------------------------+
|  cc-project5-developer  |
+-------------------------+

If the command output returns one or more IAM user names, the access keys used by those Amazon IAM users have been compromised or exposed publicly.

05 Run list-entities-for-policy command (OSX/Linux/UNIX) with custom output filters to list the name of each Amazon IAM user configured with the AWSCompromisedKeyQuarantineV3 policy, available in your AWS cloud account: 

aws iam list-entities-for-policy
	--policy-arn arn:aws:iam::aws:policy/AWSCompromisedKeyQuarantineV3
	--entity-filter User
	--output table
	--query 'PolicyUsers[*].UserName'

06 The command output should return a table with the requested IAM user identifiers: 

---------------------------
|  ListEntitiesForPolicy  |
+-------------------------+
|  cc-project5-developer  |
|  cc-test-prompt-user    |
+-------------------------+

If the command output returns a table with one or more IAM user names, as shown in the example above, the access keys used by those Amazon IAM users have been compromised or exposed publicly.

Remediation / Resolution

To disable the compromised credentials and update the IAM user permissions in order to remove the quarantine policy, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Identity and Access Management (IAM) console available at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, under Access management, choose Roles.

04 Click on the name (link) of the Amazon IAM user that you want to configure.

05 Select the Security credentials tab to access the IAM user credentials.

06 In the Access keys section, perform the following actions:

  1. Choose the compromised access key, select Actions, and choose Deactivate to disable the affected key. In the Deactivate <\access-key-id> box, choose Deactivate for confirmation.
  2. Select Actions, and choose Delete to remove the compromised key. In the Delete <\access-key-id> box, enter the access key ID in the required text box, and choose Delete for confirmation. Deleting the compromised key prevents it from being re-enabled.

07 Once the affected access key is decommissioned, you can remove the quarantine policy. Choose the Permissions tab, select the AWSCompromisedKeyQuarantine, AWSCompromisedKeyQuarantineV2, and/or AWSCompromisedKeyQuarantineV3 policies/policy, choose Remove, and select Remove policy/Remove policies for confirmation.

08 Repeat steps no. 4 - 7 for each Amazon IAM user with compromised credentials, available within your AWS cloud account.

Using AWS CLI

01 Run list-access-keys command (OSX/Linux/UNIX) with the name of the Amazon IAM user that you want to configure as the identifier parameter, to describe each access key created for the selected IAM user: 

aws iam list-access-keys
	--user-name cc-project5-developer
	--query 'AccessKeyMetadata[*]'

02 The command output should return the information available for each requested access key: 

[
	{
		"UserName": "cc-project5-developer",
		"AccessKeyId": "ABCD1234ABCD1234ABCD",
		"Status": "Active",
		"CreateDate": "2024-11-15T16:45:46+00:00"
	},
	{
		"UserName": "cc-project5-developer",
		"AccessKeyId": "1234ABCD1234ABCD1234",
		"Status": "Active",
		"CreateDate": "2025-01-28T10:00:00+00:00"
	}
]

03 Run update-access-key command (OSX/Linux/UNIX) to deactivate the compromised access key by setting the --status parameter to Inactive (if the request is successful, the command request does not produce an output): 

aws iam update-access-key
	--access-key-id ABCD1234ABCD1234ABCD
	--status Inactive
	--user-name cc-project5-developer

04 Run delete-access-key command (OSX/Linux/UNIX) to remove the affected access key from the associated IAM user (if successful, the command does not produce an output). Deleting the compromised key prevents it from being re-enabled: 

aws iam delete-access-key
	--access-key ABCD1234ABCD1234ABCD
	--user-name cc-project5-developer

05 Once the affected access key is decommissioned, you can remove the quarantine policy. Run detach-user-policy command (OSX/Linux/UNIX) to detach the AWSCompromisedKeyQuarantine managed policy from the selected IAM user (the command does not produce an output). Change the --policy-arn parameter value to arn:aws:iam::aws:policy/AWSCompromisedKeyQuarantineV2 for AWSCompromisedKeyQuarantineV2 policy and arn:aws:iam::aws:policy/AWSCompromisedKeyQuarantineV3 for AWSCompromisedKeyQuarantineV3 policy, and submit again the detach-user-policy command to remove the quarantine policies from your IAM user: 

aws iam detach-user-policy
	--user-name cc-project5-developer
	--policy-arn arn:aws:iam::aws:policy/AWSCompromisedKeyQuarantine

06 Repeat steps no. 1 - 5 for each Amazon IAM user with compromised credentials, available in your AWS cloud account.

References

Publication date Feb 13, 2025

Related IAM rules