AWS EC2 key pair creation attempt with known suspicious naming convention
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detect when a key pair is created using a long-term access key that has a suspicious naming convention.
Strategy
This rule lets you monitor CloudTrail logs for CreateKeyPair events created from a long-term access key and shows the identity that initiated the event.
Datadog’s security research team has observed key pair naming conventions that include a common noun followed by a string of alphanumeric characters. The attack pattern can indicate that the long term access key used has been compromised, {{@userIdentity.accessKeyId}}.
Triage and response
- Determine if the user,
{{@userIdentity.arn}}, should be generating a new key pair. - Investigate the the user behavior and access information:
- Review the user agent, IP address, and other identifying information for evidence of an abnormal access.
- Look at additional events, such as
{{@@userIdentity.arn}} and {{@userIdentity.accessKeyId}} attaching a key pair to an EC2 instance during the surrounding timeframe. The related events can be searched in EC2 logs: @eventSource:ec2.amazonaws.com and @evt.name:ImportKeypair.
- If the behavior is abnormal for the user and your environment:
- Rotate the credentials.
- Investigate if the same credentials took other unauthorized actions.
- Begin your company’s IR process and investigate.
