{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/actors/aws/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["AWS"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS Identity and Access Management (IAM)"],"_cs_severities":["high"],"_cs_tags":["credential-access","cloud","aws"],"_cs_type":"threat","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis detection identifies when the AWS-managed \u003ccode\u003eCompromisedKeyQuarantine\u003c/code\u003e or \u003ccode\u003eCompromisedKeyQuarantineV2\u003c/code\u003e policy is attached to an IAM user. This action is performed by AWS in response to identifying compromised or publicly exposed credentials associated with that user. The attachment of this policy restricts the user's ability to perform certain actions within the AWS environment. AWS typically accompanies this action with a support case that provides specific instructions for remediating the compromised credentials and restoring normal access. The rule is designed to alert security teams to this AWS-initiated quarantine so that they can investigate the root cause of the credential compromise and follow AWS's recommended remediation steps. This activity is flagged as high severity because it confirms active credential compromise impacting the cloud environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Exposure:\u003c/strong\u003e An IAM user's credentials (access key ID and secret access key) are exposed publicly, e.g., through a code repository, public forum, or misconfigured system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAWS Detection:\u003c/strong\u003e AWS detects the exposed credentials through its monitoring systems.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePolicy Attachment:\u003c/strong\u003e AWS uses the \u003ccode\u003eAttachUserPolicy\u003c/code\u003e API operation to attach the \u003ccode\u003eCompromisedKeyQuarantine\u003c/code\u003e or \u003ccode\u003eCompromisedKeyQuarantineV2\u003c/code\u003e AWS managed policy to the affected IAM user. This policy restricts the user's permissions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSupport Case Creation:\u003c/strong\u003e AWS creates a support case detailing the compromised credentials and providing instructions for remediation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eNotification:\u003c/strong\u003e The AWS account owner is notified of the support case and the attached quarantine policy.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInvestigation:\u003c/strong\u003e The security team investigates the root cause of the credential exposure.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRemediation:\u003c/strong\u003e Following the instructions in the support case, the security team disables or rotates the compromised credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePolicy Removal:\u003c/strong\u003e After the compromised credentials have been addressed, the security team detaches the quarantine policy.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe attachment of the \u003ccode\u003eCompromisedKeyQuarantine\u003c/code\u003e policy by AWS indicates a significant security event. The user's access to AWS resources is immediately restricted, potentially disrupting legitimate operations. While AWS initiates this quarantine to prevent further damage, the underlying credential compromise could have allowed unauthorized access to sensitive data or resources prior to the quarantine. Successful exploitation prior to detection and remediation could lead to data breaches, resource hijacking, or other malicious activities. The number of affected users and the extent of the potential damage depend on the scope of access granted to the compromised IAM user.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect the attachment of the \u003ccode\u003eCompromisedKeyQuarantine\u003c/code\u003e policy via the \u003ccode\u003eAttachUserPolicy\u003c/code\u003e API call in CloudTrail logs to quickly identify compromised IAM user accounts.\u003c/li\u003e\n\u003cli\u003eReview the \u003ccode\u003eaws.cloudtrail.request_parameters\u003c/code\u003e field in the CloudTrail logs to identify the specific \u003ccode\u003euserName\u003c/code\u003e that has been quarantined (as referenced in the \u0026quot;Investigating AWS IAM CompromisedKeyQuarantine Policy Attached to User\u0026quot; section) and correlate with any AWS support cases.\u003c/li\u003e\n\u003cli\u003eFollow the instructions provided in the AWS support case, prioritizing credential rotation or revocation to prevent further unauthorized access.\u003c/li\u003e\n\u003cli\u003eReview and update policies on credential storage to prevent public exposure, as highlighted in the \u0026quot;Policy Update\u0026quot; remediation step, referencing the AWS IAM User Guide.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-20T16:27:52Z","date_published":"2024-07-20T16:27:52Z","id":"https://feed.craftedsignal.io/briefs/2024-07-aws-compromised-key-quarantine/","summary":"Detection of the AWS `CompromisedKeyQuarantine` policy being attached to an IAM user, indicating that AWS has flagged the user's credentials as compromised or publicly exposed, and is providing instructions via a support case for remediation.","title":"AWS IAM CompromisedKeyQuarantine Policy Attachment","url":"https://feed.craftedsignal.io/briefs/2024-07-aws-compromised-key-quarantine/"}],"language":"en","title":"CraftedSignal Threat Feed - AWS","version":"https://jsonfeed.org/version/1.1"}