Cybersecurity Officer
Active
Advanced ~8h

IAM Breach: Privileged Access Compromise

An attacker assumed a privileged AWS role via a leaked CI/CD token. Contain, eradicate, and brief the board in 72 hours.

Progress15% • due Board briefing: T+72h

The situation

At 02:14 UTC, GuardDuty fired a high-severity finding: the IAM role ci-deployer-prod was assumed from an unusual ASN in Eastern Europe and used to call sts:GetCallerIdentity, iam:ListUsers, iam:CreateAccessKey, and s3:GetObject against the customer-pii-prod bucket. The leaked credential traces to a public GitHub fork of an internal Terraform module where a developer hard-coded a long-lived access key 11 days ago. As CISO, you must lead the response: contain blast radius, determine what data was accessed, decide on customer/regulator notification under GDPR Art. 33 (72h clock), and present a hardening plan to the board.

Context

  • ci-deployer-prod had AdministratorAccess on the production AWS account — a known finding from the last audit, never remediated.
  • The credential was a long-lived IAM access key (no MFA, no session duration limit). It was valid for 11 days before detection.
  • CloudTrail shows 1,847 API calls from the attacker IP across a 38-minute window before automatic GuardDuty containment.
  • The customer-pii-prod bucket contains ~2.4M customer records subject to GDPR and CCPA.
  • A Burp Suite scan of the public-facing /api/v2/users endpoint revealed a related IDOR vulnerability that may have been chained.
  • Legal counsel believes the 72-hour GDPR notification clock started at 02:14 UTC — confirmation of scope is the gating item.

Your objectives

  • Contain the active session and rotate all credentials with blast-radius exposure.
  • Reconstruct the attacker's kill chain from CloudTrail, VPC Flow Logs, and Burp findings.
  • Determine whether customer PII was exfiltrated — quantify, don't guess.
  • Decide on regulator notification (GDPR/CCPA) and customer disclosure with Legal.
  • Deliver a board-ready hardening plan: short-lived credentials, SCPs, just-in-time access.

Phases

  1. Detect & contain

    Revoke the session, disable the role, rotate the key.

  2. Investigate & scope

    Now

    Reconstruct the kill chain from logs and pentest evidence.

  3. Notify & disclose

    GDPR Art. 33 decision, customer comms, regulator filings.

  4. Eradicate & harden

    Kill long-lived keys, deploy SCPs, roll out OIDC federation.

  5. Board briefing & postmortem

    Present findings, plan, and accountability.

Tasks

  • Revoke active sessions for ci-deployer-prod (aws iam delete-access-key + STS revoke)
    T+0:30
  • Pull full CloudTrail JSON for the 38-minute window into the SIEM
    T+2:00
  • Run Burp Suite re-scan against /api/v2/users to confirm IDOR fix coverage
    T+6:00
  • Diff S3 access logs against the bucket inventory to enumerate exfiltrated objects
    T+12:00
  • Sweep all repos for hard-coded credentials (TruffleHog + Gitleaks across 412 repos)
    T+18:00
  • Draft GDPR Art. 33 notification with Legal
    T+48:00
  • Stand up GitHub OIDC federation to replace long-lived deploy keys
    T+60:00
  • Deliver board briefing with 90-day hardening plan
    T+72:00

Inbox for this scenario

Open inbox
GD

GuardDuty Alert · AWS Security Hub

02:14 UTC

[HIGH] UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS

Role ci-deployer-prod assumed from 185.220.101.x (Tor exit / RU ASN). 1,847 API calls in 38 min including iam:CreateAccessKey on 4 service accounts and s3:GetObject against customer-pii-prod. Auto-containment engaged at 02:52 UTC.

Urgent
RS

Ravi Subramanian · CEO

06:40 UTC

I need to know what to tell the board

Saw the security incident page. Was customer data taken? Do we have to tell regulators? I have the board on the phone in 6 hours — give me the cleanest answer you can, but don't speculate.

Urgent
PI

Priya Iyer · General Counsel

05:10 UTC

GDPR 72-hour clock — confirm start time

If this constitutes a 'personal data breach' under Art. 4(12), we have until 02:14 UTC Thursday to notify the lead supervisory authority. I need your scope assessment by tomorrow noon to make the call. Document everything.

High
MC

Marcus Chen · Incident Response Lead

04:55 UTC

CloudTrail pulled, Burp findings attached

Full CloudTrail JSON is in the evidence locker. I also re-ran the Burp Suite scan from last quarter — the IDOR on /api/v2/users is still exploitable in staging. Recommend we treat as chained attack until proven otherwise.

High
HW

Hannah Weiss · Platform Engineering

07:20 UTC

We need to talk about long-lived keys

I flagged this in the Q1 audit. Eleven engineers still have static AWS access keys with admin scope. If you sign off, I can ship the GitHub OIDC migration this week and kill every long-lived key by Friday.

FYI
DV

Dev (anonymous) · Engineering

08:05 UTC

I think this is my fault

I forked the terraform-prod repo to test locally and didn't realize the access key was in the .tfvars. The fork was public for 11 days. I'm so sorry. What do I do?

High

Success criteria

  • All exposed credentials rotated and the offending role replaced with short-lived OIDC federation within 24h.
  • Forensic timeline reconstructed and signed off by the IR lead.
  • GDPR Art. 33 decision documented with Legal before the 72h clock expires.
  • Board-approved 90-day hardening roadmap with named owners and budget.

Stakeholders

  • RS

    Ravi Subramanian

    CEO

    tense
  • PI

    Priya Iyer

    General Counsel

    neutral
  • MC

    Marcus Chen

    IR Lead

    supportive
  • HW

    Hannah Weiss

    Platform Eng Lead

    supportive
  • AK

    Aisha Kapoor

    DPO

    neutral
  • BR

    Board Risk Committee

    Board

    tense

Deliverables

  • Incident Forensic Timeline

    in review

    Minute-by-minute kill chain from initial access to containment, sourced from CloudTrail + VPC Flow + Burp evidence.

  • Data Exfiltration Scope Report

    draft

    Enumerated S3 objects accessed, customer record count, sensitivity classification.

  • GDPR Art. 33 Notification (draft)

    pending

    Notification to lead supervisory authority within 72h, co-signed by Legal and DPO.

  • Customer Disclosure Comms

    pending

    Email + status page copy if notification threshold is met. Legal and PR sign-off required.

  • 90-Day Hardening Roadmap

    pending

    Kill long-lived keys, deploy SCPs, JIT access, secret scanning in CI, OIDC federation. Named owners and budget.

  • Board Briefing Deck

    pending

    What happened, what we did, what we'll change. 10 slides, no jargon.

Competencies assessed

  • Incident Response & Forensics78 / 100
  • Cloud Security (AWS IAM)82 / 100
  • Application Security & PentestingWeight 15%
  • Regulatory & Legal JudgmentWeight 15%
  • Crisis CommunicationWeight 15%
  • Security ArchitectureWeight 10%

Tools

Burp SuiteAWS Cloud ConsoleCloudTrail ExplorerSIEM QuerySecret ScannerIAM Policy Simulator