The shocking speed of AWS key exploitation
It’s no secret that developers often inadvertently expose AWS access keys online and we know that these keys are being scraped and misused by attackers before organizations get a chance to revoke them.
Clutch Security researchers performed a test to see just how quickly that can happen.
They dispersed AWS access keys (in different scenarios) on:
- Code hosting and version control platforms: GitHub and GitLab
- Public code repositories: Docker Hub (for containers), npm (for JavaScript packages), PyPI (for software written in Python), Crates.io (for Rust crates)
- Repositories for hosting and testing code snippets: JSFiddle, Pastebin, and public and private GitHub Gists
- Developer forums: Stack Overflow, Quora, Postman Community, and Reddit
The results of this test revealed that attackers tend to find and exploit (within a few minutes) AWS access keys leaked on GitHub and DockerHub, and within several hours those exposed on PyPI, Pastebin, and the Postman Community.
AWS secrets published on GitLab, Crates.io, public GitHub Gists, JSFiddle, Stack Overflow, Reddit and Quora were exploited in 1 to 5 days. Only the keys revealed on npm and Private GitHub Gists remained unused.
How to automatically revoke exposed AWS keys
The attackers are often fast enough to beat the alerts about exposed keys sent by AWS (if the customer uses AWS’s Security Hub and the Trusted Advisor service), the researchers discovered.
And while AWS puts the exposed keys in automatic “quarantine”, that’s not enough to prevent all misuse: it just limits the attackers’ ability to create some AWS resources.
The AWS access keys leaked by the researchers allowed attackers to log in to the company’s sandboxed cloud environments, engage in reconnaissance, escalate privileges and perform lateral movement, and even try to leverage the company’s infrastructure for resource-intensive operations.
“This isn’t opportunism; it’s automation and intent. The actions we observed paint a picture of methodical, highly organized operations,” the company said in its report.
As Clutch researchers see it, the current problem with leaked AWS keys is that the revocation of these keys is left to the customers, most of which fail to act quickly.
“The reality is clear: the window between exposure and rotation leaves sufficient time for attackers to cause significant damage,” they noted.
So, they’ve created AWSKeyLockdown, an open source security automation tool that immediately disables access keys AWS flagged as compromised.
But they believe that, in the long run, enterprises must rethink their defenses and move away from traditional secret rotation, which “solves nothing”.
Instead, they should embrace Zero Trust and ephemeral identities to shrink the attack surface and limit damage, be on the lookout for potential leaks, and implement automated detection and revocation systems.