not all permanent key creations are malicious. if there is a policy of rotating keys this search can be adjusted to provide better context.

t1078
aws account
splunk

Techniques

T1078

Sample rules

aws detect permanent key creation

source: splunk
technicques:
- T1078

Description

This search provides detection of accounts creating permanent keys. Permanent keys are not created by default and they are only needed for programmatic calls. Creation of Permanent key is an important event to monitor.

Detection logic

`aws_cloudwatchlogs_eks` CreateAccessKey 
| spath eventName 
| search eventName=CreateAccessKey "userIdentity.type"=IAMUser 
| table sourceIPAddress userName userIdentity.type userAgent action status responseElements.accessKey.createDate responseElements.accessKey.status responseElements.accessKey.accessKeyId 
|`aws_detect_permanent_key_creation_filter`