AWS access key creation by previously unseen identity

Goal

Detect when an AWS access key is created by an unfamiliar identity.

Strategy

This rule monitors Cloudtrail logs for CreateAccessKey API calls made by an AWS identity. An attacker may create an AWS access key to maintain persistence in the account.

Note: This rule uses the New Value detection method to determine when a previously unseen AWS identity is observed performing this action.

Triage & response

  1. Determine if the API call: {{@evt.name}} should have been performed by the identity: {{@userIdentity.arn}}:
    • Contact the owner of the identity to confirm if they made the API call.
  2. If the API call was not made by the identity:
    • Rotate the identity credentials.
    • Determine what actions were taken by the identity and the new access keys created.
    • Begin your organization’s incident response process and investigate.
  3. If the API call was made legitimately by the identity:
    • Work with the owner of the identity to understand if a long term credential is the best way to meet their use case.
    • As a best practice AWS recommends using temporary security credentials (IAM roles) instead of creating long-term credentials like access keys.