01 Run list-entities-for-policy command (OSX/Linux/UNIX) with custom output filters to list the name of each Amazon IAM user configured with the AWSCompromisedKeyQuarantine policy, available within your AWS cloud account:
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
aws iam list-entities-for-policy
--policy-arn arn:aws:iam::aws:policy/AWSCompromisedKeyQuarantine
--entity-filter User
--output table
--query 'PolicyUsers[*].UserName'
02 The command output should return a table with the requested IAM user identifier(s):
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
---------------------------
| ListEntitiesForPolicy |
+-------------------------+
| cc-project5-developer |
+-------------------------+
If the
list-entities-for-policy command output returns a table with one or more IAM user names, as shown in the example above, the access keys used by those Amazon IAM users have been compromised or exposed publicly.
03 Run list-entities-for-policy command (OSX/Linux/UNIX) with custom output filters to list the name of each Amazon IAM user configured with the AWSCompromisedKeyQuarantineV2 managed policy, available in your AWS account:
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
aws iam list-entities-for-policy
--policy-arn arn:aws:iam::aws:policy/AWSCompromisedKeyQuarantineV2
--entity-filter User
--output table
--query 'PolicyUsers[*].UserName'
04 The command output should return a table with the requested IAM user identifier(s):
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
---------------------------
| ListEntitiesForPolicy |
+-------------------------+
| cc-project5-developer |
+-------------------------+
If the command output returns one or more IAM user names, the access keys used by those Amazon IAM users have been compromised or exposed publicly.
05 Run list-entities-for-policy command (OSX/Linux/UNIX) with custom output filters to list the name of each Amazon IAM user configured with the AWSCompromisedKeyQuarantineV3 policy, available in your AWS cloud account:
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
aws iam list-entities-for-policy
--policy-arn arn:aws:iam::aws:policy/AWSCompromisedKeyQuarantineV3
--entity-filter User
--output table
--query 'PolicyUsers[*].UserName'
06 The command output should return a table with the requested IAM user identifiers:
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
---------------------------
| ListEntitiesForPolicy |
+-------------------------+
| cc-project5-developer |
| cc-test-prompt-user |
+-------------------------+
If the command output returns a table with one or more IAM user names, as shown in the example above, the access keys used by those Amazon IAM users have been compromised or exposed publicly.