legitimate users may travel, rotate through vpn egress ips, or run automation from new build hosts, producing a first-seen ip for an existing access key. baseline the principal, confirm with the key owner, and extend the history window or add exceptions for known automation networks if needed.

t1078
t1552
aws
elastic

Techniques

T1078
T1552

Sample rules

AWS IAM Long-Term Access Key First Seen from Source IP

source: elastic
technicques:
- T1078
- T1552

Description

Identifies the first time, within the configured history window, that a long-term IAM access key ID (prefix AKIA) is used successfully from a given source.ip in AWS CloudTrail. Long-term access keys belong to IAM users or the account root user. They are a common target after credential theft or leakage, including supply-chain and exposed-key scenarios. Temporary security credentials (prefix ASIA) and console sessions are excluded so the signal emphasizes programmatic access patterns.

Detection logic

event.dataset: "aws.cloudtrail"
    and event.outcome: "success"
    and source.ip:*
    and aws.cloudtrail.user_identity.access_key_id: AKIA*