Name:aws detect permanent key creation id:12d6d713-3cb4-4ffc-a064-1dca3d1cca01 version:5 date:2024-11-14 author:Rod Soto, Splunk status:deprecated type:Hunting Description:The following analytic detects the creation of permanent access keys in AWS accounts. It leverages CloudWatch logs to identify events where the `CreateAccessKey` action is performed by IAM users. Monitoring the creation of permanent keys is crucial as they are not created by default and are typically used for programmatic access. If confirmed malicious, this activity could allow attackers to gain persistent access to AWS resources, potentially leading to unauthorized actions and data exfiltration. Data_source:
how_to_implement:You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs known_false_positives:Not all permanent key creations are malicious. If there is a policy of rotating keys this search can be adjusted to provide better context. References: drilldown_searches:
: tags: analytic_story: - 'AWS Cross Account Activity' asset_type:AWS Account mitre_attack_id: - 'T1078' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:threat
