Skip to main content

AWS credentials Remediation Process

These are the steps to be followed if we learn a set of AWS credentials have been compromised. If the credentials are for a Cloud Platform managed service, that needs to be handled by the Cloud Platform team so let them know

Make sure the relevant user/service are made aware and establish a channel of communication with them. Jointly with the user, evaluate the best course of action to retire the credentials.

The credentials can be retired immediately

  1. Locate the user in the IAM section of the AWS console
  2. Delete all keys and also disable the password if there is one.
  3. Attach a AWSDenyAll policy to the user while remediation is in progress
  • Click on the user from the IAM Users Screen
  • In the Permissions tab, click Add Permission
  • Select “Add policy” from the 3 tabs on the page
  • Find the AWSDenyAll policy and apply it to the user
  1. Investigate CloudTrail logs for activity from that user in case any resources have been created or other relevant activity after the time you were made aware of the compromise.
  2. Once you feel safe to do so, force the password reset on the user and have them issue themselves new keys.

Retiring the credentials immediately will lead to service downtime

  1. Agree an approach with the affected service team. This needs to be done quickly. If key decision makers are not available at the time, the security of the estate and the service take precendence over downtime.
  2. Based on the agreed approach, you might re-issue a new key first before deleting the old one.
  3. In all cases, keep a close eye on the CloudTrail logs for any activity coming from the compromised credentials so you can immediately detect and potentially shut down unwanted activity.

In all cases this is a security incident and so the security team should be made aware of it. The service team/user might need to additional remediation based on advice from Security. It is the responsibility of the service team to contact security using the provided form.

This page was last reviewed on 5 June 2024. It needs to be reviewed again on 5 September 2024 by the page owner #operations-engineering-alerts .
This page was set to be reviewed before 5 September 2024 by the page owner #operations-engineering-alerts. This might mean the content is out of date.