AWS IAM User Created Access Keys For Another User

About

Tags

Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS IAMUse Case: Identity and Access AuditTactic: Privilege EscalationTactic: Persistence

Severity

medium

Risk Score

47

MITRE ATT&CK™

Persistence (TA0003)(opens in a new tab or window)

↳ Account Manipulation (T1098)(opens in a new tab or window)

Privilege Escalation (TA0004)(opens in a new tab or window)

↳ Account Manipulation (T1098)(opens in a new tab or window)

False Positive Examples

While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity should be using the IAM `CreateAccessKey` for the targeted user.

License

Elastic License v2(opens in a new tab or window)

Definition

Integration Pack

Prebuilt Security Detection Rules

Related Integrations

aws(opens in a new tab or window)

Query

from logs-aws.cloudtrail-* metadata _id, _version, _index
| where event.provider == "iam.amazonaws.com"
    and event.action == "CreateAccessKey"
    and event.outcome == "success"
    and user.name != user.target.name
| keep
    @timestamp,
    cloud.region,
    event.provider,
    event.action,
    event.outcome,
    user.name,
    source.address,
    user.target.name,
    user_agent.original,
    aws.cloudtrail.request_parameters,
    aws.cloudtrail.response_elements,
    aws.cloudtrail.user_identity.arn,
    aws.cloudtrail.user_identity.type,