There are 6 general methods that blue teams can use to prevent AWS Resource Exposure Attacks. See the links below for more detailed guidance per method.
-
Use AWS KMS Customer-Managed Keys to encrypt resources
-
Leverage Strong Resource-based policies
-
Trusted Accounts Only
-
Inventory which IAM Principals are capable of Resource Exposure
-
AWS Service Control Policies
-
Prevent AWS RAM External Principals