Incident Report: From CLI To Console, Chasing An Attacker In AWS

In this AWS incident, an attacker gained initial access using a compromised long-term access key belonging to one IAM user. This key was likely exposed in a public code repository. The attacker leveraged the key to make API calls (via the AWS CLI) to enumerate users (ListUsers), then altered the login profile (UpdateLoginProfile) for another IAM user to enable console login, and then performed a console login from a suspicious location. Once inside via the console, the attacker created new IAM users, generated long-term access keys for them, attached elevated policies (including administrator access), and even requested service quota increases, likely prepping for resource abuse (e.g. spinning up EC2 instances). Interestingly, the attacker leveraged the CLI-based initial access to later pivot into console access. They exploited AWS IAM’s ability to change login profiles via API (for users) so that they could authenticate interactively. Also, the attacker used both an IAM user whose key was exposed and another IAM user that had console permissions once its login profile was modified. This dual approach (CLI to console) adds resilience to their attack chain.