Skip to content

Commit

Permalink
Update Compromised_IAM_Credentials.md (#13)
Browse files Browse the repository at this point in the history 
https://repost.aws/knowledge-center/potential-account-compromise. AWSExposedCredentialPolicy_DO_NOT_REMOVE is not used in compromise by AWS anymore.
  • Loading branch information
@EadesCloudDef
EadesCloudDef authored Mar 6, 2024
1 parent 7ccb587 commit bce7a09
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion docs/Compromised_IAM_Credentials.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,7 @@ There are multiple ways to detect compromised credentials within your AWS enviro

1. identify unusual IAM user creation by looking at creation date and the password last used/changed columns.
2. Check if any IAM users have two or more access keys.
3. Check if any IAM users have *AWSExposedCredentialPolicy\_DO\_NOT\_REMOVE* attached. If so, rotate its access keys.
3. Check if any IAM users have *AWSCompromisedKeyQuarantineV2* attached. If so, rotate its access keys.

4. Review IAM Roles within the AWS account, to identify any unfamiliar roles that have been created or accessed

Expand Down

0 comments on commit bce7a09

Please sign in to comment.