How confident are you that your AWS Keys are secure? I sure hope they are because there is a new attack that is worse than attackers booting up $10,000 an hour worth of EC2 Servers.

If an attacker stumbles upon some valid AWS Access Keys with S3 access they immediately query S3 to find all the buckets and then encrypt all the S3 buckets they can find with Customer Provided Keys.

Keys that only they have and will hold ransom until you pay up. Diabolical I know.

This is fitting considering yesterday’s comic Credential Cycling Catastrophe.

Now is a good time to cycle your creds or better yet migrate away from the antiquated Access Keys to AWS’s Single Sign On tool IAM Identity Center. This prevents devs from having Access Keys sitting around on their hard drives for years and years just waiting for attackers to grab them.

Just like accessing the console the developers will have to reauthorize with MFA every X hours(I think 12 is the default). Much more secure than the way we used to do it.

It also occurs to me that this would be possible if they gained access to inject code or run code on an AWS resource. Even gaining access to your bastion if your bastion has S3:* permissions you could likely pull this off so lock down your IAMRoles too.

So what are you waiting for? Get to work!

• Cycle those creds.
• Lock down your IAM Users and Roles so they only have access to what they absolutely need.
• Back up your S3 files.

PS: Watch the video short on YouTube