The Shocking Speed of AWS Key Exploitation

December 9, 2024

It is not an uncommon phenomenon for developers working for major enterprises to inadvertently expose their AWS access keys, and it is not uncommon for threat actors to discover this and take advantage, with keys being scraped to gain unauthorized access to sensitive assets. What has changed in recent years is the speed at which these exposures are being taken advantage of. A group of security researchers recently put this to the test, and the results are interesting to examine. The test was simple: sets of AWS keys were put together and intentionally leaked on a number of common platforms. These platforms included GitHub and GitLab, Docker Hub, npm, PyPI, Crates.io, Pastebin, Stack Overflow, Quora, and Reddit. These platforms were then tracked to see how long it took for the keys to be discovered and used.

The results showed that AWS keys leaked on GitHub and DockerHub were found and exploited within minutes. Keys leaked on PyPI or Pastebin were exploited within hours. Most of the others were found within 1 to 5 days, and the keys revealed on npm were apparently never touched. These test results indicate the presence of an extensive automated infrastructure that is constantly dragging the major sources for secrets. According to the researchers, the speed of exploitation on GitHub was so fast that it necessarily implies automation rather than opportunism. This speed of exploitation is particularly worrying because it operates even faster than AWS’s automatic quarantine, making it possible for threat actors to log into sandboxed cloud environments, engage in reconnaissance, escalate privileges, and establish a persistence within the network before the credentials can be locked down. In the long run, new protocols are going to have to be created to address this problem, but for now, the key to protecting AWS keys must be continuous detection and swift action.

More from Blackwired

July 2, 2025

SquareX: Browser AI Agents Are The Weakest Link

Browser AI agents pose major security risks, often falling for phishing and OAuth attacks due to lack of built-in safeguards.

Read more
June 25, 2025

US Homeland Security warns of escalating Iranian cyberattack risks

US-Iran conflict escalates; DHS warns of rising cyber, terror threats from Iran, allies, and hacktivists targeting US infrastructure.

Read more
June 18, 2025

CISA Issues Comprehensive Guide to Safeguard Network Edge Devices

New global guidance urges stronger edge device security to counter rising zero-day threats—focus on logging, MFA, and hardening.

Read more