--- title: AWS CreateIndex by long term access key description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > Datadog Security > OOTB Rules > AWS CreateIndex by long term access key --- # AWS CreateIndex by long term access key {% alert level="danger" %} This rule is part of a beta feature. To learn more, [contact Support](https://docs.datadoghq.com/help/). {% /alert %} Classification:attackTactic:[TA0007-discovery](https://attack.mitre.org/tactics/TA0007)Technique:[T1580-cloud-infrastructure-discovery](https://attack.mitre.org/techniques/T1580) ## Goal{% #goal %} Detects usage of long-term AWS access keys to execute `CreateIndex` operations in AWS Resource Explorer. Identifies potential unauthorized discovery activity using compromised or misused long-term credentials. ## Strategy{% #strategy %} This rule monitors AWS CloudTrail logs for `CreateIndex` events generated by the `resource-explorer-2.amazonaws.com` service, with a specific focus on long-term access keys. AWS Resource Explorer allows users to search and discover AWS resources across regions and accounts, making it valuable for both legitimate administration and malicious reconnaissance. Long-term access keys pose a higher security risk than temporary credentials because they do not expire automatically and are more likely to be compromised or misused by unauthorized actors. ## Triage & Response{% #triage--response %} - Examine if the access key `{{@userIdentity.accessKeyId}}` in region `{{@awsRegion}}` has legitimate authorization to create resource indexes. - Review the user identity associated with the access key and verify if index creation aligns with their normal responsibilities. - Check for additional Resource Explorer API calls from the same access key to understand the scope of discovery activity. - Investigate the source IP address and geographic location of the API calls to identify potential unauthorized access. - Determine if the access key shows signs of compromise by reviewing recent authentication patterns and usage locations. - Validate if the timing of the `CreateIndex` operation aligns with known maintenance windows or legitimate administrative tasks.