Base64 AWS keys
Description
General
- Documentation: https://docs.aws.amazon.com/IAM/latest/APIReference/welcome.html
- Summary: Amazon Web Services is a cloud provider. It provides computing and storage services. AWS keys allow users to programmatically manage AWS resources. As an example, one can create or delete instances using the access keys. This detector will detect AWS keys encoded in base64.
- IPs allowlist: It is possible to configure IP ranges that have access to AWS resources. Learn more.
- Scopes: One can create keys for IAM user. An IAM user is an identity that represents a person or an application. Permissions are granted to the IAM user and the access keys attached to the user will inherit the same permissions. IAM user also supports MFA for additional security. Anyone who has such an access key has unrestricted access to all the IAM account resources, possibly including billing information.
Revoke the secret
Sign in to the AWS Management Console as the AWS account root user then choose the desired account name in the navigation bar, and go to "My Security Credentials".
Expand the "Access keys" section then click on the delete button.
The difference between the delete button and the make inactive button is that disabled keys can be re-enabled later, which should not be the case here.
Check for suspicious activity
AWS CloudTrail is the service logging API calls. When enabled, the service delivers the log files to an S3 bucket.
Details for Base64 aws iam
-
Family: Api
-
Category: Cloud Provider
-
Company: Amazon Web Services
-
High recall: True
-
Validity check available: True
-
Analyzer available: False
-
On-premise instances exist: False
-
Only valid secrets raise an alert: False
-
Minimum number of matches: 2
-
Occurrences found for one million commits: 2.6
-
Prefixed: True
-
PreValidators:
- type: Base64ContentWhitelistPreValidator
keywords:
- AKIA
- ABIA
- ACCA
Examples
- text: |
client id = QUJJQUs1MkxQRk9SUFJVQ1JDMjI=
UzB1Z041d3YybUJIcitlN0RON2RUcWc0QWE2YjRsNUkwZ0RSZnE5Uw==
client_id: QUJJQUs1MkxQRk9SUFJVQ1JDMjI
client_secret: UzB1Z041d3YybUJIcitlN0RON2RUcWc0QWE2YjRsNUkwZ0RSZnE5Uw
- text: |
client id = QUNDQUs1MkxQRk9SUFJVQ1JDMjI=
UzB1Z041d3YybUJIcitlN0RON2RUcWc0QWE2YjRsNUkwZ0RSZnE5Uw==
client_id: QUNDQUs1MkxQRk9SUFJVQ1JDMjI
client_secret: UzB1Z041d3YybUJIcitlN0RON2RUcWc0QWE2YjRsNUkwZ0RSZnE5Uw
- text: |
client id = QUtJQVg1Mk1QWU9UUFJVQ1JDMjI=
UzB1Z041d3YybUJIcitlN0RON2RUcWc0QWE2YjRsNUkwZ0RSZnE5Uw==
client_id: QUtJQVg1Mk1QWU9UUFJVQ1JDMjI
client_secret: UzB1Z041d3YybUJIcitlN0RON2RUcWc0QWE2YjRsNUkwZ0RSZnE5Uw
Details for Base64 aws ses keys
-
Family: Api
-
Category: Cloud Provider
-
Company: Amazon Web Services
-
High recall: True
-
Validity check available: True
-
Analyzer available: False
-
On-premise instances exist: False
-
Only valid secrets raise an alert: False
-
Minimum number of matches: 2
-
Occurrences found for one million commits: 0.03
-
Prefixed: True
-
PreValidators:
- type: Base64ContentWhitelistPreValidator
keywords:
- AKIA
Examples
- text: |
"SmtpCredentials": {
"Username": "QUtJQTJVM1hGWlhZNVk1SzRZQ0c=",
"Password": "QkVGbG13QkJYUDhmamZXQnExUnRjOEp1SlVWdzlHbzNuSUMvdXdjaHUvVjQ=",
client_id: QUtJQTJVM1hGWlhZNVk1SzRZQ0c
client_secret: QkVGbG13QkJYUDhmamZXQnExUnRjOEp1SlVWdzlHbzNuSUMvdXdjaHUvVjQ
- text: |
+IAM User Name,Smtp Username,Smtp Password
+"ses-smtp-user.rsin",QUtJQTJRRTRNUUFXM1RMS0NaN0g=,QkFIRDBIUzloTXZiYmFsR1QvUzFiYjJBSUY2c1J0c3RnTFM4anczMitYdXU=
client_id: QUtJQTJRRTRNUUFXM1RMS0NaN0g
client_secret: QkFIRDBIUzloTXZiYmFsR1QvUzFiYjJBSUY2c1J0c3RnTFM4anczMitYdXU
