The AWS managed policy AWSCompromisedKeyQuarantine has been attached

cloudtrail

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect when the AWS managed policy AWSCompromisedKeyQuarantine has been attached to a user, role, or group.

Strategy

This rule monitors AWS CloudTrail and detects when the AWS managed policy AWSCompromisedKeyQuarantine has been attached to a user, role, or group. It is applied by the AWS team in the event that an IAM user’s credentials has been compromised or publicly exposed.

Triage and response

  1. An AWS support case has been opened regarding this event and contains instructions for investigation.
  2. Investigate any other actions carried out by the compromised identity {{@userIdentity.arn}} using the Cloud SIEM investigator.

Changelog

12 June 2025 - Update title and link to align with the latest AWSCompromisedKeyQuarantineV3 managed policy.