AWS Access Key is Compromised. Now What?

An AWS access key exposure can lead to unauthorized access, with attackers generating temporary session tokens valid for up to 36 hours. This window allows persistent access even after the original key is deactivated.

Why This Matters

While IAM roles provide temporary, rotated credentials as the gold standard, static access keys are still used for third-party integrations. A compromised key can grant attackers a 36-hour foothold via aws sts get-session-token, bypassing immediate deactivation. This undermines the assumption that deleting a key instantly mitigates risk, as temporary tokens remain active independently.

Key Insights

“36-hour session token lifespan, 2025”: Attackers exploit get-session-token to maintain access post-deactivation.
“Deny policy with time-based condition”: Restrict new temporary tokens issued after compromise using DateLessThan in IAM policies.
“CloudTrail + GuardDuty”: Forensic analysis via CloudTrail logs and threat detection via GuardDuty identifies attack scope and indicators of compromise.

Working Example

# Attacker-generated session token (36-hour lifespan)
aws sts get-session-token --duration-seconds 129600

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyAccessWithTemporaryCredentialsIssuedAfterCompromise",
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "DateLessThan": {
          "aws:TokenIssueTime": "2025-12-08T16:00:00Z"
        }
      }
    }
  ]
}

Practical Applications

Use Case: Third-party services requiring static credentials (e.g., legacy APIs) force reliance on IAM users.
Pitfall: Delayed deactivation of compromised keys allows attackers to generate long-lived session tokens.

References:

https://dev.to/shamimice03/aws-security-series-aws-access-key-is-compromised-now-what-an-incident-response-playbook-448b

On This Page

AWS Access Key is Compromised. Now What?