Credential Leak: Cached AWS Access Key on Single Windows Host Exposes 98% of Cloud Resources
What Happened — A cached AWS access key stored on a Windows workstation was discovered to grant an attacker lateral movement to roughly 98 % of the organization’s cloud entities. The key was generated through normal user login and was not the result of a misconfiguration.
Why It Matters for TPRM —
- Credential exposure on a single endpoint can compromise the majority of a vendor’s cloud environment.
- Third‑party risk programs must assess not only policy compliance but also endpoint credential hygiene.
- Undetected identity‑based attack paths can lead to data exfiltration, service disruption, or downstream supply‑chain impact.
Who Is Affected — Cloud‑focused SaaS providers, MSPs, and any organization relying on AWS IAM credentials for internal or customer workloads.
Recommended Actions —
- Conduct an inventory of cached credentials on all endpoints and enforce credential eviction policies.
- Deploy privileged access management (PAM) solutions that isolate and rotate access keys automatically.
- Review third‑party IAM practices and require proof of secure credential handling in contracts.
Technical Notes — Attack vector: stolen cached AWS access key (credential compromise). No CVE involved; the issue stems from default AWS SDK behavior that stores short‑lived keys on the host. Data types at risk include any cloud‑hosted workloads, configuration data, and potentially customer data stored in S3, RDS, or other services. Source: The Hacker News