A critical persistence technique in AWS Identity and Access Management (IAM) stemming from its eventual consistency model, allowing attackers to retain access even after defenders delete compromised access keys.
AWS IAM, like many distributed systems, employs eventual consistency to scale across regions and replicas. Updates to resources such as access keys or policies propagate with a predictable delay of approximately 3-4 seconds, as confirmed through OFFENSAI’s testing across regions like us-east-1 and eu-central-1.
During this window, deleted keys remain valid for API calls, enabling attackers to list keys receiving an empty array or generate new ones before invalidation completes.
Security firm OFFENSAI has uncovered that in a simulated attack, a defender executes aws iam delete-access-key –access-key-id AKIA… –user-name bob, while the attacker rapidly follows with aws iam create-access-key –user-name bob.
CloudTrail logs accurately record both the deletion and subsequent actions, yet the consistency lag permits persistence. This extends beyond keys to policy attachments, role deletions, and login profiles, amplifying risks in incident response.
Traditional playbooks fail here: attaching deny-all policies like AWSDenyAll yields the same window, as attackers detect and detach them via polling ListAccessKeys or similar APIs.
AWS’s own Credential Cleanup Procedure, published on re:Post, advises waiting full propagation periods but proves inefficient against proactive attackers who preempt policy enforcement.
Post-disclosure testing revealed partial fixes. A deleted key now blocks new key creation, but gaps persist. Attackers can still detect changes and deploy assumable roles with AdministratorAccess from external accounts.
OFFENSAI recommends account-level Service Control Policies (SCPs) via AWS Organizations to deny all actions for compromised principals, as attackers lack SCP control.
After propagation, proceed with cleanup. AWS acknowledged the findings in April 2025, applying development fixes and documentation updates without classifying it as a vulnerability. Retests shared on December 5, 2025, align with their assessment, urging playbook revisions.
AWS Spokesperson said to Cybersecuritynews.com that “IAM uses a distributed computing model called eventual consistency. This means any changes that you make in IAM (or other AWS services) take time to become visible across endpoints. Some delay results from the time it takes to send data from server to server, replication zone to replication zone, and Region to Region. IAM also uses caching to improve performance, but in some cases this can add time.”
“The change might not be visible until the previously cached data times out. AWS recommends that customers implement security best practices and design their applications to account for these delays. For example, customers should avoid long-term IAM access keys because of their indefinite validity and potential for theft or accidental disclosure create risk. Instead, customers should use temporary credentials, generated via the AWS Security Token Service (STS), or leverage IAM roles and federation for programmatic access to AWS services, as these methods offer time-limited access that automatically expires. We recommend you follow the runbook we have published on re:Post to address this: Credential Cleanup Procedure.”
No in-the-wild exploits surfaced. Organizations should integrate such delays into detection rules, favoring IAM roles and STS temporary credentials over long-term keys to minimize exposure.
Powered by
