AWS Launches Improvements for Key Quarantine Policy

Recently, AWS expanded the scope of their AWSCompromisedKeyQuarantine policies (v2 and v3) to include new actions. This policy is used by AWS to lock down access keys that they suspect have been compromised. A common example of this process in action is when AWS automatically applies the quarantine policy to any keys found by scanning public GitHub repositories. 

This proactive protection mechanism can stop compromises before they happen. However, only a limited set of actions are restricted by the policy. The MAMIP project continuously monitors AWS managed policies, such as AWSCompromisedKeyQuarantine, for changes. On October 2nd, 2024, it picked up changes to the policy that added ~29 new actions that would be restricted. 

MAMPI repository

Looking at the list of actions that were added, it is clear AWS has been monitoring the actions that threats are abusing when they compromise credentials. Let’s take a look at some specific examples to understand why they were added to the list.

The advent of LLMjacking was reported by Sysdig earlier this year and involves the abuse of hosted LLMs for a number of purposes. This attack vector can get very expensive for the victim as models like Anthropic’s Claude are not cheap. In the policy changes we can see five AWS Bedrock calls have now been restricted. These actions were all shown to be used by the attackers in the threat reports above.

AMBERSQUID was an operation detected by the Sysdig TRT in September 2023, which leveraged lesser known AWS services to conduct cryptomining.  Specifically, the attacker used the Amplify, CodeBuild, Sagemaker, and ECS services during the operation. The AMBERSQUID attackers used stolen credentials to very quickly launch miners using all of these services. Since they are lesser known and may not provide the same potential visibility of services like EC2, they are a tempting target due to lack of detections. With the changes to the policy, many of these actions will no longer be possible if an access key has the quarantine policy attached. 

Earlier this year, Datadog reported on ECS-based attacks that showed compromised credentials were used to create Fargate clusters in order to run cryptominers. The attackers used randomized names and spread their activity across many different regions. This approach allowed them to scale their operations to make as much money as possible before being shut off. 

Another attack reported by Datadog this year covers how attackers abuse the Simple Email Service (SES) to send spam and phishing messages. This is yet another way compromised credentials are used to make money or further an attacker’s goals. Both the ECS and SES actions have now been addressed in the policy changes. 

It is important to remember that, while these are important steps taken by AWS, these protections are only applied to access keys that they suspect have been compromised. If the AWSCompromisedKeyQuarantine has not been applied to the key, none of the restrictions will apply. Protecting your organizations credentials and monitoring them for signs of abuse is still critical.