Detecting Compromised Cloud Credentials

When to Use

• When investigating alerts about unusual cloud API activity from unfamiliar locations
• When building detection rules for credential theft and abuse across cloud environments
• When responding to notifications from cloud providers about exposed credentials
• When monitoring for credential stuffing or brute force attacks against cloud identities
• When assessing the scope of a credential compromise after initial detection

Do not use for preventing credential compromise (use MFA, credential rotation, and secrets management), for detecting application-level credential theft (use application security monitoring), or for endpoint credential harvesting detection (use EDR tools).

Prerequisites

• AWS GuardDuty enabled across all accounts and regions
• Azure Defender for Identity and Entra ID Protection configured
• GCP Security Command Center with Event Threat Detection enabled
• CloudTrail, Azure Activity Log, and GCP Audit Log centralized for analysis
• SIEM integration for cross-cloud correlation of credential abuse indicators