not all permanent key creations are malicious. if there is a policy of rotating keys this search can be adjusted to provide better context.

t1078
aws account
splunk

Techniques

T1078

Sample rules

aws detect permanent key creation

source: splunk
technicques:
- T1078

Description

The following analytic detects the creation of permanent access keys in AWS accounts. It leverages CloudWatch logs to identify events where the CreateAccessKey action is performed by IAM users. Monitoring the creation of permanent keys is crucial as they are not created by default and are typically used for programmatic access. If confirmed malicious, this activity could allow attackers to gain persistent access to AWS resources, potentially leading to unauthorized actions and data exfiltration.

Detection logic

`aws_cloudwatchlogs_eks` CreateAccessKey 
| spath eventName 
| search eventName=CreateAccessKey "userIdentity.type"=IAMUser 
| table sourceIPAddress userName userIdentity.type userAgent action status responseElements.accessKey.createDate responseElements.accessKey.status responseElements.accessKey.accessKeyId 
|`aws_detect_permanent_key_creation_filter`