AWS access key creation by previously unseen identity

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when an AWS access key is created by an unfamiliar identity.

Strategy

This rule monitors Cloudtrail logs for CreateAccessKey API calls made by an AWS identity. An attacker may create an AWS access key to maintain persistence in the account.

Note: This rule uses the New Value detection method to determine when a previously unseen AWS identity is observed performing this action.

Triage & response

  1. Determine if the API call: {{@evt.name}} should have been performed by the identity: {{@userIdentity.arn}}:
    • Contact the owner of the identity to confirm if they made the API call.
  2. If the API call was not made by the identity:
    • Rotate the identity credentials.
    • Determine what actions were taken by the identity and the new access keys created.
    • Begin your organization’s incident response process and investigate.
  3. If the API call was made legitimately by the identity:
    • Work with the owner of the identity to understand if a long term credential is the best way to meet their use case.
    • As a best practice AWS recommends using temporary security credentials (IAM roles) instead of creating long-term credentials like access keys.