Detecting Credential Compromise in AWS

Conference:  BlackHat USA 2018



The presentation discusses a new approach to detecting credential misuse and compromise outside of AWS infrastructure using CloudTrail and temporary credentials.
  • Understanding AWS and how it works is crucial to detecting credential misuse and compromise
  • Temporary credentials provided by AWS can be used to get full coverage of an environment for up to 6 hours
  • CloudTrail can be used to audit API calls and detect source IP addresses
  • Centralizing CloudTrail is a best practice recommended by AWS
  • Detecting credential misuse and compromise outside of AWS infrastructure is a scale problem
  • 90-day event history of API calls is now free in the AWS console
The speaker mentions that they have hundreds of thousands of servers that change constantly, with 4,000 deploys a day. They wanted to detect when a credential was being used outside of Netflix, not just AWS, but found that no one was doing this publicly. They also note that pagination and rate-limiting can be issues when making API calls to describe an environment.


Credential compromise in the cloud is not a threat that one company faces, rather it is a widespread concern as more and more companies operate in the cloud. Credential compromise can lead to many different outcomes depending on the motive of the attacker who compromised the credentials. In some cases in the past, it has led to erroneous AWS service usage for bitcoin mining or other non-destructive yet costly abuse, and in others it has led to companies shutting down due to the loss of data and infrastructure.This paper describes an approach for detection of compromised credentials in AWS without needing to know all IPs in your infrastructure beforehand.