LoFP LoFP / aws api keys legitimate exchange workflows

Techniques

Sample rules

AWS IAM Backdoor Users Keys

Description

Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.

Detection logic

condition: selection_source and not filter
filter:
  userIdentity.arn|contains: responseElements.accessKey.userName
selection_source:
  eventName: CreateAccessKey
  eventSource: iam.amazonaws.com