Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AWS root account compromise: what does it reveal about IAM controls?


(@unosecur)
Honorable Member
Joined: 1 year ago
Posts: 188
Topic starter  

TL;DR: A former maintainer retained unrotated shared AWS root credentials in Ruby Central’s vault, then used them for an unauthorized login that briefly seized full administrative control and disrupted services, according to Unosecur. The incident shows how offboarding failures and shared privileged access can turn one stale credential into environment-wide risk.

NHIMG editorial — based on content published by Unosecur: AWS Root Account Compromise: Insider Misuse Exposes Credential Hygiene Gaps

By the numbers:

Questions worth separating out

Q: What breaks when a former employee still has access to shared cloud root credentials?

A: Offboarding no longer removes authority, so a departed operator can re-enter production through a credential the organisation still trusts.

Q: Why do shared privileged credentials increase cloud breach impact?

A: Shared privileged credentials collapse multiple responsibilities into one secret, so compromise affects administration, detection, and automation at the same time.

Q: What do security teams get wrong about root account protection?

A: They often treat root protection as a password problem when it is really a governance problem.

Practitioner guidance

  • Revoke and replace shared root credentials immediately Replace every shared AWS root secret with a fresh credential pair, verify vault entries, and confirm that no downstream system still references the old value.
  • Restrict root use to documented break-glass events Remove routine operational dependence on the root account, require explicit approval for use, and maintain a separate path for emergency administration.
  • Tie offboarding to privileged secret invalidation Make leaver processing trigger revocation of vault-held secrets, cloud console access, and any linked SaaS or CI/CD integrations before the exit record closes.

What's in the full article

Unosecur's full blog covers the operational detail this post intentionally leaves for the source:

  • A step-by-step account of the AWS root login sequence and the observed IP geographies.
  • The specific remediation checklist for root account hardening, including MFA and IAM review actions.
  • The incident timeline showing how production services and integrations were affected.
  • The article's own guidance on monitoring signals such as password resets, policy changes, and unusual logins.

👉 Read Unosecur's analysis of the AWS root account compromise and offboarding failure →

AWS root account compromise: what does it reveal about IAM controls?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11491
 

Standing privileged access without lifecycle offboarding: This breach worked because a root credential survived the end of the maintainer relationship. That is not just a missed revocation step. It is a governance failure in which the organisation treated privileged access as persistent property instead of lifecycle-bound authority. The implication is that access ownership must end when the relationship ends, or the account remains exploitable.

A few things that frame the scale:

  • 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
  • Our research also found that 44% of NHI tokens are exposed in the wild, being sent or stored over platforms like Teams, Jira tickets, Confluence pages, and code commits.

A question worth separating out:

Q: Who is accountable when a shared administrative credential is misused after offboarding?

A: Accountability should sit with the control owners who allowed the credential to survive the leaver process, not only with the person who used it. Lifecycle governance must cover vault ownership, revocation workflows, and privileged access review so the organisation can prove authority ended when employment or responsibility ended.

👉 Read our full editorial: AWS root account compromise exposes offboarding and rotation gaps



   
ReplyQuote
Share: