Elastic Security Detection Rules

AWS IAM Long-Term Access Key First Seen from Source IP

Last updated a day ago on 2026-04-06
Created a day ago on 2026-04-06

About

Identifies the first time, within the configured history window, that a long-term IAM access key ID (prefix AKIA) is used successfully from a given source.ip in AWS CloudTrail. Long-term access keys belong to IAM users or the account root user. They are a common target after credential theft or leakage, including supply-chain and exposed-key scenarios. Temporary security credentials (prefix ASIA) and console sessions are excluded so the signal emphasizes programmatic access patterns.
Tags
Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS CloudTrailData Source: AWS IAMUse Case: Threat DetectionTactic: Credential AccessTactic: Initial AccessLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Credential Access (TA0006)(external, opens in a new tab or window)

Unsecured Credentials (T1552)(external, opens in a new tab or window)

Initial Access (TA0001)(external, opens in a new tab or window)

Valid Accounts (T1078)(external, opens in a new tab or window)

False Positive Examples
Legitimate users may travel, rotate through VPN egress IPs, or run automation from new build hosts, producing a first-seen IP for an existing access key. Baseline the principal, confirm with the key owner, and extend the history window or add exceptions for known automation networks if needed.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
New Terms Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-aws.cloudtrail-*
Related Integrations

aws(external, opens in a new tab or window)

Query
text code block:
event.dataset: "aws.cloudtrail"
    and event.outcome: "success"
    and source.ip:*
    and aws.cloudtrail.user_identity.access_key_id: AKIA*

Install detection rules in Elastic Security

Detect AWS IAM Long-Term Access Key First Seen from Source IP in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).