Cloud Threat Landscape
  • Incidents
  • Actors
  • Techniques
  • Defenses
  • Tools
  • Targeted Technologies
  • Posters & Newspapers
  • About
  • RSS
  • STIX
  • Back to wiz.io
Cloud Threat Landscape

Leaked long-lived AWS creds

Type
Incident
Actors
❓Unknown
Pub. date
October 7, 2022
Initial access
Impact
None
Observed techniques
Cloud API enumerationCreate new cloud user
References
https://twitter.com/jhencinski/status/1578371249792724992?t=6oYeGYgGZq1B-LXFZzIqhQ
Status
Stub
Last edited
Jun 2, 2024 8:02 AM

Impacted organization discovered that long-lived AWS creds had leaked. Initially alerted to the following suspicious activity:

  • Successful authentication to AWS API from unusual location (outside AWS) and/or with suspicious user agent ('aws-cli/kali').
  • Attempted CreateUser API call and user account enumeration resulting in "access denied”.

Follow-up investigation into CloudTrail logs showed compromise of multiple IAM accounts and evidence of leakage of long-lived access keys.

Made with 💙 by Wiz

Last Updated: April 3, 2025