---
title: AWS access key creation by previously unseen identity
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > AWS access key creation by previously
  unseen identity
---

# AWS access key creation by previously unseen identity
Classification:attackTactic:[TA0003-persistence](https://attack.mitre.org/tactics/TA0003)Technique:[T1098-account-manipulation](https://attack.mitre.org/techniques/T1098) 
## Goal{% #goal %}

Detect when an AWS access key is created by an unfamiliar identity.

## Strategy{% #strategy %}

This rule monitors Cloudtrail logs for `CreateAccessKey` API calls made by an AWS identity. An attacker may create an AWS access key to maintain persistence in the account.

**Note:** This rule uses the `New Value` detection method to determine when a previously unseen AWS identity is observed performing this action.

## Triage & response{% #triage--response %}

1. Determine if the API call: `{{@evt.name}}` should have been performed by the identity: `{{@userIdentity.arn}}`:
   - Contact the owner of the identity to confirm if they made the API call.
1. If the API call was not made by the identity:
   - Rotate the identity credentials.
   - Determine what actions were taken by the identity and the new access keys created.
   - Begin your organization's incident response process and investigate.
1. If the API call was made legitimately by the identity:
   - Work with the owner of the identity to understand if a long term credential is the best way to meet their use case.
   - As a best practice AWS recommends using temporary security credentials (IAM roles) instead of creating long-term credentials like access keys.