Services Plugins FAQs

AWS Uploader Plugin triggering Malicious Activity Alert from AWS

Plugins
#1

Hi folks,

we’re still evaluating the AWS file uploader plugin which so far has been really a great solution to an otherwise annoying problem. However, i’m routinely informed by AWS that the access key associated with the plugin use has been compromised. I’ve deliberately limited the access of the service account and key, but still it’s an annoyance being told by AWS that they perceive you as threat to their architecture. I’ve received several messages like the one below

+++
Hello,

As part of our standard monitoring of AWS systems, we observed anomalous activity in your AWS account that indicated your AWS access key(s), along with the corresponding secret key, may have been inappropriately accessed by a third party. Unapproved users with an AWS access key could take mutating actions on your AWS resources or read your data. We strongly recommend that you immediately follow the instructions below to protect your account.
[…]

The following is the list of your affected resource(s):
Access Key:
IAMUser:
Event Name: GetCallerIdentity
Event Time: April 19, 2025, 18:23:25 (UTC+00:00)
IP: 193.32.126.170
IP Country/Region: FR
[…]

Is that something you guys have seen before? Any idea how i can gree-flag your activity to AWS?

Thanks a lot,
Cheers,
Stephan

#2

Hi @zimmerst ,

Thanks for reaching out and sharing this with us!

First off, it’s great to hear that the AWS File Uploader plugin has been helpful for your project overall. I completely understand how receiving notifications like this can be concerning, especially when dealing with sensitive AWS credentials.

In regards to your issue, it’s not uncommon for AWS to flag certain activities, especially when API calls are made from various locations or when there’s a pattern of requests that seem unusual, such as access from different IPs. This could potentially trigger AWS’s security monitoring systems, even if everything is working as expected on your end.

Here are a few steps you could take to mitigate the issue:

  1. Rotate Your Keys Regularly: Make sure you’re regularly rotating your access keys to minimize the impact of any potential compromise, especially if AWS is alerting you to suspicious access.
  2. Use IAM Roles with Limited Permissions: It sounds like you’ve already limited access to the service account, which is great. You might want to take this a step further by ensuring that only the minimum necessary permissions are granted to the IAM user associated with the plugin.
  3. Monitor and Whitelist IPs: You could whitelist specific IP ranges that are relevant to your app, making sure that only expected IPs are making requests to AWS resources. This could help to prevent AWS from flagging legitimate access as suspicious.
  4. Contact AWS Support: If you’ve been receiving multiple notifications, it’s also a good idea to reach out to AWS support directly and explain that you are using the plugin, so they can adjust any flags or alerts they’ve set on your account. Let them know you’re working with a third-party solution and ask if there’s any additional way to ensure your activity is green-flagged.

Lastly, just to clarify—this behavior is often more of a monitoring issue on AWS’s side rather than something specific to the plugin. It’s worth noting that many users who work with AWS through third-party integrations like this occasionally encounter similar alerts.

I hope that helps! Looking forward to your reply. :sunflower:

Cheers,
Support Team
Browse all Zeroqode Plugins for bubble
Banner_Last3