Lateral movement

Sensitive AWS Keys on System

Risk Level

Hazardous (3)

Compliance Frameworks

About AWS Access Keys

AWS access keys are used to sign requests to the AWS API or CLI. An access key has two components: an access key ID and a secret access key. Both of these components are used during authentication.

To gain programmatic access to AWS, you must first authenticate using your access keys. Access keys can be created directly from the AWS IAM console.

AWS keys provide indefinite access unless they are manually revoked. However, for many use cases, you don’t need long-term access without an expiration date. This is why AWS recommends using temporary credentials (generated using the Security Token Service) instead of AWS keys. In addition to the access key ID and secret access key, temporary credentials also have a security token that specifies the expiration date of the credentials.

Think of AWS keys as literal keys to your system. Anyone with your key has access to all the resources that you do and can perform any operations that you are authorized to perform like launch EC2 instances, delete S3 objects, etc. This is why you must always store your keys in a safe location, and never share them with anyone, especially not external parties.

Cloud Risk Description

By default, sensitive AWS keys are stored on the file system. If these keys are obtained by a malicious actor, they can use them to access sensitive resources and perform unauthorized operations.

How Does Orca Help?

Orca checks for AWS keys in the default location where it is configured, which is ~/.aws/credentials.

Real-Life Incidents

Exposure of sensitive data can lead to large scale cyber attacks. Here are a few examples:


Orca Security, the cloud security innovation leader, provides cloud-wide, workload-deep security and compliance for AWS, Azure, and GCP - without the gaps in coverage, alert fatigue, and operational costs of agents.