A essential persistence method in AWS Id and Entry Administration (IAM) stemming from its eventual consistency mannequin, permitting attackers to retain entry even after defenders delete compromised entry keys.
AWS IAM, like many distributed techniques, employs eventual consistency to scale throughout areas and replicas. Updates to assets akin to entry keys or insurance policies propagate with a predictable delay of roughly 3-4 seconds, as confirmed by way of OFFENSAI’s testing throughout areas like us-east-1 and eu-central-1.
Throughout this window, deleted keys stay legitimate for API calls, enabling attackers to checklist keys receiving an empty array or generate new ones earlier than invalidation completes.
Entry key used after deletion
Safety agency OFFENSAI has uncovered that in a simulated assault, a defender executes aws iam delete-access-key –access-key-id AKIA… –user-name bob, whereas the attacker quickly follows with aws iam create-access-key –user-name bob.
CloudTrail logs precisely file each the deletion and subsequent actions, but the consistency lag permits persistence. This extends past keys to coverage attachments, position deletions, and login profiles, amplifying dangers in incident response.
Persistence inside keys
Conventional playbooks fail right here: attaching deny-all insurance policies like AWSDenyAll yields the identical window, as attackers detect and detach them by way of polling ListAccessKeys or comparable APIs.
AWS’s personal Credential Cleanup Process, printed on re:Publish, advises ready full propagation durations however proves inefficient in opposition to proactive attackers who preempt coverage enforcement.
Publish-disclosure testing revealed partial fixes. A deleted key now blocks new key creation, however gaps persist. Attackers can nonetheless detect adjustments and deploy assumable roles with AdministratorAccess from exterior accounts.
OFFENSAI recommends account-level Service Management Insurance policies (SCPs) by way of AWS Organizations to disclaim all actions for compromised principals, as attackers lack SCP management.
After propagation, proceed with cleanup. AWS acknowledged the findings in April 2025, making use of growth fixes and documentation updates with out classifying it as a vulnerability. Retests shared on December 5, 2025, align with their evaluation, urging playbook revisions.
No in-the-wild exploits surfaced. Organizations ought to combine such delays into detection guidelines, favoring IAM roles and STS short-term credentials over long-term keys to reduce publicity.
Comply with us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to function your tales.
