AWS Launches Enhancements for Key Quarantine Coverage

Just lately, AWS expanded the scope of their AWSCompromisedKeyQuarantine insurance policies (v2 and v3) to incorporate new actions. This coverage is utilized by AWS to lock down entry keys that they believe have been compromised. A typical instance of this course of in motion is when AWS robotically applies the quarantine coverage to any keys discovered by scanning public GitHub repositories. 

This proactive safety mechanism can cease compromises earlier than they occur. Nonetheless, solely a restricted set of actions are restricted by the coverage. The MAMIP mission repeatedly screens AWS managed insurance policies, akin to AWSCompromisedKeyQuarantine, for modifications. On October 2nd, 2024, it picked up modifications to the coverage that added ~29 new actions that might be restricted. 

MAMPI repository

Wanting on the listing of actions that have been added, it’s clear AWS has been monitoring the actions that threats are abusing after they compromise credentials. Let’s check out some particular examples to know why they have been added to the listing.

The arrival of LLMjacking was reported by Sysdig earlier this yr and includes the abuse of hosted LLMs for quite a lot of functions. This assault vector can get very costly for the sufferer as fashions like Anthropic’s Claude aren’t low-cost. Within the coverage modifications we will see 5 AWS Bedrock calls have now been restricted. These actions have been all proven for use by the attackers within the menace stories above.

AMBERSQUID was an operation detected by the Sysdig TRT in September 2023, which leveraged lesser recognized AWS companies to conduct cryptomining.  Particularly, the attacker used the Amplify, CodeBuild, Sagemaker, and ECS companies through the operation. The AMBERSQUID attackers used stolen credentials to in a short time launch miners utilizing all of those companies. Since they’re lesser recognized and should not present the identical potential visibility of companies like EC2, they’re a tempting goal on account of lack of detections. With the modifications to the coverage, many of those actions will now not be doable if an entry key has the quarantine coverage connected. 

Earlier this yr, Datadog reported on ECS-based assaults that confirmed compromised credentials have been used to create Fargate clusters in an effort to run cryptominers. The attackers used randomized names and unfold their exercise throughout many alternative areas. This method allowed them to scale their operations to make as a lot cash as doable earlier than being shut off. 

One other assault reported by Datadog this yr covers how attackers abuse the Easy E-mail Service (SES) to ship spam and phishing messages. That is one more means compromised credentials are used to earn a living or additional an attacker’s targets. Each the ECS and SES actions have now been addressed within the coverage modifications. 

You will need to do not forget that, whereas these are necessary steps taken by AWS, these protections are solely utilized to entry keys that they believe have been compromised. If the AWSCompromisedKeyQuarantine has not been utilized to the important thing, not one of the restrictions will apply. Defending your organizations credentials and monitoring them for indicators of abuse remains to be vital.