Leaked AWS access-key — billing, S3, and lateral movement

AWS access keys are scraped and validated in under 60 seconds. Spinning up GPU instances for mining, exfiltrating S3 buckets, and escalating through misconfigured IAM are the top-three attacker workflows.

The next 60 seconds matter

The attacker lists the key's permissions (aws sts get-caller-identity + aws iam list-attached-user-policies). If the key has EC2 permissions, GPU miners spin up in dozens of regions in parallel. If S3 read, buckets are exfiltrated. If IAM write, the key is rotated to a persistent attacker-controlled user.

  • Spin up p4d.24xlarge mining instances in 20+ regions ($10K/day)
  • List and exfiltrate every S3 bucket the key can see
  • Create a new IAM user with admin access for persistence
  • Read Secrets Manager / Parameter Store values

Rotation playbook

  1. AWS Console → IAM → Users → (the leaked user) → Security credentials → Deactivate the key immediately
  2. Create a new access key pair and roll it through every system that used the old one
  3. Review CloudTrail for anomalous calls in the past 24 hours
  4. If anomalies: escalate to AWS Abuse + trigger your IR plan; rotate IAM across the account

Prevent the next one

  • Prefer IAM roles (assumed via STS) over long-lived access keys
  • Enable AWS GuardDuty for anomalous API-call detection
  • Use short-lived credentials from IAM Identity Center / SSO
  • Rotate every access key quarterly as a default
Pattern we scan for
AKIA[0-9A-Z]{16} (access key ID) + 40-char secret