* [Blog](https://www.paloaltonetworks.com/blog)
* [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/)
* [Cloud Infrastructure Entitlement Management](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-infrastructure-entitlement-management/)
* CircleCI Incident Highlig...

# CircleCI Incident Highlights Cloud Platform Querying Struggles for Compromised Credentials

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fcircleci-platform-query-credentials%2F)  
[](https://twitter.com/share?text=CircleCI+Incident+Highlights+Cloud+Platform+Querying+Struggles+for+Compromised+Credentials&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fcircleci-platform-query-credentials%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fcircleci-platform-query-credentials%2F&title=CircleCI+Incident+Highlights+Cloud+Platform+Querying+Struggles+for+Compromised+Credentials&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/cloud-security/circleci-platform-query-credentials/&ts=markdown)  
\[\](mailto:?subject=CircleCI Incident Highlights Cloud Platform Querying Struggles for Compromised Credentials)  
Link copied  
By [Nathaniel Quist](https://www.paloaltonetworks.com/blog/author/nathaniel-q-quist-sr-threat-researcher-public-cloud-security/?ts=markdown "Posts by Nathaniel Quist"), [Daniel Prizmant](https://www.paloaltonetworks.com/blog/author/daniel-prizmant/?ts=markdown "Posts by Daniel Prizmant") and [Steve Alsop](https://www.paloaltonetworks.com/blog/author/steve-alsop/?ts=markdown "Posts by Steve Alsop")  
Jan 18, 2023  
4 minutes  
[Cloud Infrastructure Entitlement Management](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-infrastructure-entitlement-management/?ts=markdown)  
[Cloud Native Application Protection Platform](https://www.paloaltonetworks.com/blog/category/cloud-native-application-protection-platforms/?ts=markdown)  
[Threat Advisory/Analysis](https://www.paloaltonetworks.com/blog/category/threat-advisoryanalysis/?ts=markdown)  
[AccessKey](https://www.paloaltonetworks.com/blog/tag/accesskey/?ts=markdown)  
[AWS](https://www.paloaltonetworks.com/blog/tag/aws/?ts=markdown)  
[Azure](https://www.paloaltonetworks.com/blog/tag/azure/?ts=markdown)  
[CircleCI](https://www.paloaltonetworks.com/blog/tag/circleci/?ts=markdown)  
[Detection](https://www.paloaltonetworks.com/blog/tag/detection/?ts=markdown)  
[Google Cloud](https://www.paloaltonetworks.com/blog/tag/google-cloud/?ts=markdown)  
[RQL](https://www.paloaltonetworks.com/blog/tag/rql/?ts=markdown)

On January 4, 2023 [CircleCI reported a security incident](https://circleci.com/blog/january-4-2023-security-alert/) had occurred. CircleCI recommended, "out of an abundance of caution ... to immediately rotate any and all secrets stored in CircleCI." It was assumed that a hardcoded access ID associated with CircleCI was being used to perform unauthorized actions within CircleCI customers' cloud environments, such as creating new users, access keys, cloud instances, and serverless functions, as well as modifying existing cloud resources.

On January 12, 2023, CircleCI released an update to the security alert stating they're working with AWS to notify customers impacted by this security incident. The security alert, and the subsequent update, from CircleCI represent a unique opportunity to demonstrate the effectiveness of the Prisma Cloud platform in querying cloud service provider (CSP) environments for evidence of activity originating from suspicious access keys within their CSPs. All within a single RQL query.

## Compromised CSP Access Keys: Detecting Operations

Prisma Cloud can assist in the identification process of detecting operations taking place as the result of suspicious or compromised CSP access keys. These keys could perform a number of suspicious operations, such as creating new access keys, users, VM instances, serverless functions, IAM policy roles and groups, and several other operations. Using the following Prisma Cloud RQL query string will allow internal security personnel to identify if any of their CSP environments have witnessed these types of operations:

## Suspicious Operation RQL Query

event from cloud.audit\_logs where operation IN ('ModifyInstanceAttribute', 'CreateFunction', 'CreateFunction20150331', 'CreateFunction2020\_05\_31', 'UpdateFunction', 'UpdateFunction2020\_05\_31', 'UpdateFunctionCode20150331', 'UpdateFunctionCode20150331v2', 'CreateUser', 'CreateAccessKey', 'CreateLoginProfile', 'UpdateLoginProfile', 'ImportKeyPair', 'RunInstances', 'StartSession', 'SendCommand', 'google.iam.admin.v1.CreateServiceAccountKey', 'google.cloud.functions.v1.CloudFunctionsService.CreateFunction', 'google.cloud.functions.v1beta2.CloudFunctionsService.CreateFunction', 'google.cloud.functions.v1.CloudFunctionsService.UpdateFunction', 'google.cloud.functions.v1beta2.CloudFunctionsService.UpdateFunction', 'v1.compute.instances.setMetadata', 'beta.compute.instances.setMetadata', 'Create or update custom role definition (EndRequest)', 'Create a virtual machine (BeginRequest)', 'Create API operation or Update API operation (BeginRequest)', 'Create Deployment (BeginRequest)', 'Create an Azure Automation job (BeginRequest)', 'Create group or Update group (BeginRequest)', 'Create Job (BeginRequest)', 'Add or modify virtual machines. (BeginRequest)', 'blobServices/containers/write (BeginRequest)' ) AND subject IN ( 'Account Name' )

## Identify All Access Keys or Group IDs

To identify the access key or group IDs within a given CSP, the following RQL queries can assist:

### AWS Environments

config from cloud.resource where api.name = 'aws-iam-list-access-keys' AND json.rule = accessKeyId is not empty addcolumn userName

### Google Cloud Environments

config from cloud.resource where api.name = 'gcloud-iam-service-accounts-list' AND json.rule = uniqueId exists addcolumn email

### Azure Environments

config from cloud.resource where api.name = 'azure-active-directory-iam-group' AND json.rule = groupId is not empty addcolumn groupName

These three Prisma Cloud RQL queries will identify each user account, as well as their associated access key (AWS), UniqueID (gcloud) and Group ID (Azure) within the given CSP. The resulting list of user accounts will allow researchers to identify the specific actions these user accounts have taken. Researchers can grab the query results and insert those values into the previous [Suspicious Operations RQL Query](https://www.paloaltonetworks.com/blog/prisma-cloud/circleci-platform-query-credentials/#post-178388-_9rsnstdmozmq?ts=markdown) in the following format: 'useraccount #1', 'useraccount #2', 'useraccount #3', etc.

By combining both the access key and group ID RQL queries with the suspicious operation RQL query, Prisma Cloud removes the barrier of having to query each CSP individually to identify if a known or suspected AccessKey is performing erratically. This will create assist-security teams to identify suspicious access key operations within their cloud environments.

## Learn More About Prisma Cloud \& Rapid Response Situations

The CircleCI incident exposes a detection angle that Prisma Cloud is able to identify quickly and efficiently using its native RQL query language within the Prisma Cloud UI. It eliminates the need for users to navigate to their CSP and perform unique queries specific to that CSP to identify if a single access key is performing the suspicious activity.

A single RQL within the Prisma Cloud UI will query multiple cloud environments, saving time and resources for security teams.

*** ** * ** ***

## Related Blogs

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/cloud-security/category/partners/?ts=markdown)

[#### Automating Visibility and Protection for Cloud VMs](https://www.paloaltonetworks.com/blog/cloud-security/automating-visibility-protection-cloud-vms/)

### [Cloud NGFW](https://www.paloaltonetworks.com/blog/network-security/category/cloud-ngfw/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown)

[#### From Control to Command: The Future of Multicloud Security](https://www.paloaltonetworks.com/blog/network-security/from-control-to-command-the-future-of-multicloud-security/)

### [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### From Chaos to Command: An Organization's Journey to Master Multicloud](https://www.paloaltonetworks.com/blog/network-security/from-chaos-to-command-an-organizations-journey-to-master-multicloud/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cloud NGFW](https://www.paloaltonetworks.com/blog/network-security/category/cloud-ngfw/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Cloud NGFW is Essential for AWS \& Azure Cloud Traffic Protection](https://www.paloaltonetworks.com/blog/network-security/cloud-ngfw-is-essential-for-aws-azure-cloud-traffic-protection/)  
[#### Simplifying Network Security for Enterprises in Public Cloud](https://www.paloaltonetworks.com/blog/network-security/for-enterprises-public-cloud/)

### [Data Security](https://www.paloaltonetworks.com/blog/category/data-security/?ts=markdown), [Data Security Posture Management](https://www.paloaltonetworks.com/blog/cloud-security/category/data-security-posture-management/?ts=markdown)

[#### Are Cloud Serverless Functions Exposing Your Data?](https://www.paloaltonetworks.com/blog/cloud-security/secure-access-cloud-serverless-functions/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language