First, the difference between “programmatic access” and “management console access” must be briefly explained. Programmatic access is used when a user or a machine requires access to the AWS Command Line Interface (CLI), the AWS SDKs or direct HTTPS calls to the APIs for individual AWS services. Tools like Ansible or Terraform are typical examples for this access type.
Then, there is access to the Management Console. Usually a human being is authenticating to the Management Console using a web browser. The user authenticates using user name and password (and hopefully a 2nd factor) in order to get access to the GUI for managing resources.
From now on, this article will only focus on programmatic access. Credentials for programmatic access are called Access Keys. Access Keys consists of two components an Access Key ID and a Secret Access Key. They could look like the following:
To test what exactly happens when credentials are published, various security measures have been implemented. Among others a user with no permissions at all was used and Multi Factor Authentication (MFA) has been enabled for all users in this account. The account has also been monitored very closely so that any suspicious incidents could have been identified immediately.
We have tested the security measures several times to make sure they worked as expected. We had to be sure that with the published Access Keys no actions could be executed and log entries were written as expected.
Finally, we published the Access Keys to GitHub. A simple playbook for Ansible with the following content was used:
The response to the credentials leakage was absolutely overwhelming for us. Within less than one-minute foreign parties tried to take advantage of the leaked credentials. Within the 6 minutes in which the credentials were valid we received connections from different Anonymizing Networks and from China.
AWS also noticed the problem just as swiftly and notified us immediately. An email arrived in our inbox informing about the problem right after the leakage. We were informed that the access keys will remain valid. To protect the account AWS temporarily limited the ability to create AWS resources.
Malicious actors do monitor published code on GitHub (and other Source Code Repos) actively. This can easily be accomplished using the API GitHub offers. If a key is published by mistake, someone will try to capitalize on it immediately. Automated tools exist to take advantage out of leaked credentials within seconds. AWS reacted in an exemplary manner and immediately implemented protective measures on the compromised account.
With this test we wanted to raise awareness. Access Keys are critical components that require special protection. On their website AWS discusses in detail how to handle Access Keys and how to protect them accordingly. Swisscom as well is glad to answer any specific security questions regarding IAM or Amazon Web Services in general.
Cloud Solution Engineer