Remediating potentially compromised Amazon credentials - Amazon GuardDuty
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Remediating potentially compromised Amazon credentials

Follow these recommended steps to remediate potentially compromised credentials in your Amazon environment:

  1. Identify the potentially compromised IAM entity and the API call used.

    The API call used will be listed as API in the finding details. The IAM entity (either an IAM role or user) and its identifying information will be listed in the Resource section of the finding details. The type of IAM entity involved can be determined by the User Type field, the name of the IAM entity will be in the User name field. The type of IAM entity involved in the finding can also be determined by the Access key ID used.

    For keys beginning with AKIA:

    This type of key is a long term customer-managed credential associated with an IAM user or Amazon Web Services account root user. For information about managing access keys for IAM users, see Managing access keys for IAM users.

    For keys beginning with ASIA:

    This type of key is a short term temporary credential generated by Amazon Security Token Service. These keys exists for only a short time and cannot be viewed or managed in the Amazon Management Console. IAM roles will always use Amazon STS credentials, but they can also be generated for IAM Users, for more information on Amazon STS see IAM: Temporary security credentials.

    If a role was used the User name field will indicate the name of the role used. You can determine how the key was requested with Amazon CloudTrail by examining the sessionIssuer element of the CloudTrail log entry, for more information see IAM and Amazon STS information in CloudTrail.

  2. Review permissions for the IAM entity.

    Open the IAM console. Depending on the type of the entity used, choose the Users or Roles tab, and locate the affected entity by typing the identified name into the search field. Use the Permission and Access Advisor tabs to review effective permissions for that entity.

  3. Determine whether the IAM entity credentials were used legitimately.

    Contact the user of the credentials to determine if the activity was intentional.

    For example, find out if the user did the following:

    • Invoked the API operation that was listed in the GuardDuty finding

    • Invoked the API operation at the time that is listed in the GuardDuty finding

    • Invoked the API operation from the IP address that is listed in the GuardDuty finding

If this activity is a legitimate use of the Amazon credentials, you can ignore the GuardDuty finding. The https://console.amazonaws.cn/guardduty/ console allows you to set up rules to entirely suppress individual findings so that they no longer appear. For more information, see Suppression rules.

If you can't confirm if this activity is a legitimate use, it could be the result of a compromise to the particular access key - the IAM user's sign-in credentials, or possibly the entire Amazon Web Services account. If you suspect your credentials have been compromised, review the information in the My Amazon Web Services account may be compromised article to remediate this issue.