Techniques
Sample rules
aws detect permanent key creation
- source: splunk
- technicques:
- T1078
Description
This search provides detection of accounts creating permanent keys. Permanent keys are not created by default and they are only needed for programmatic calls. Creation of Permanent key is an important event to monitor.
Detection logic
`aws_cloudwatchlogs_eks` CreateAccessKey
| spath eventName
| search eventName=CreateAccessKey "userIdentity.type"=IAMUser
| table sourceIPAddress userName userIdentity.type userAgent action status responseElements.accessKey.createDate responseElements.accessKey.status responseElements.accessKey.accessKeyId
|`aws_detect_permanent_key_creation_filter`