Watch your AWS access keys – Impact of publishing them on GitHub

Identity and Access Management (IAM) is an important area within the Security Chapter of the Amazon Web Services' (AWS) Well-Architected Framework. Within Swisscom we share this opinion. To raise awareness and to deal with AWS technologies, we started a simple test. We wanted to find out what happens when valid AWS Access Keys are published on GitHub. This blogpost describes the procedure and the effects.

„Programmatic Access“ versus „Management Console Access“

First, the difference between „programmatic access“ and „management console access“ must be briefly explained. Programmatic access is used when a user or a machine requires access to the AWS Command Line Interface (CLI), the AWS SDKs or direct HTTPS calls to the APIs for individual AWS services. Tools like Ansible or Terraform are typical examples for this access type.

Then, there is access to the Management Console. Usually a human being is authenticating to the Management Console using a web browser. The user authenticates using user name and password (and hopefully a 2nd factor) in order to get access to the GUI for managing resources.

From now on, this article will only focus on programmatic access. Credentials for programmatic access are called Access Keys. Access Keys consists of two components an Access Key ID and a Secret Access Key. They could look like the following:

  • Access Key ID: AKIAJ[……..]VVSUIS
  • Secret Access Key: 9sDXP9aLws[……..]GxCPurPzCKo2stXPIB

Publishing the Access Keys

To test what exactly happens when credentials are published, various security measures have been implemented. Among others a user with no permissions at all was used and Multi Factor Authentication (MFA) has been enabled for all users in this account. The account has also been monitored very closely so that any suspicious incidents could have been identified immediately.

We have tested the security measures several times to make sure they worked as expected. We had to be sure that with the published Access Keys no actions could be executed and log entries were written as expected.

Finally, we published the Access Keys to GitHub. A simple playbook for Ansible with the following content was used:

--- 
- hosts: localhost
  gather_facts: no
  vars:
    bucketname: mybucketname-20180531
  tasks:
    - name: Create a S3 bucket
      aws_s3: 
        aws_access_key: AKIAJ[........]VVSUIS
        aws_secret_key: 9sDXP9aLws[........]GxCPurPzCKo2stXPIB
        bucket: "{{ bucketname }}" 
        mode: create

The response to the credentials leakage was absolutely overwhelming for us. Within less than one-minute foreign parties tried to take advantage of the leaked credentials. Within the 6 minutes in which the credentials were valid we received connections from different Anonymizing Networks and from China.

AWS also noticed the problem just as swiftly and notified us immediately. An email arrived in our inbox informing about the problem right after the leakage. We were informed that the access keys will remain valid. To protect the account AWS temporarily limited the ability to create AWS resources

Watch your Access Keys

Malicious actors do monitor published code on GitHub (and other Source Code Repos) actively. This can easily be accomplished using the API GitHub offers. If a key is published by mistake, someone will try to capitalize on it immediately.  Automated tools exist to take advantage out of leaked credentials within seconds. AWS reacted in an exemplary manner and immediately implemented protective measures on the compromised account.

With this test we wanted to raise awareness. Access Keys are critical components that require special protection. On their website AWS discusses in detail how to handle Access Keys and how to protect them accordingly. Swisscom as well is glad to answer any specific security questions regarding IAM or Amazon Web Services in general.

Do you want to learn more about Swisscoms portfolio and services on Amazon Web Services (AWS)?
Get in touch with our experts! Coc.aws@swisscom.com or visit swisscom.ch/aws