Elastic Security Detection Rules

AWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure

Last updated 2 days ago on 2026-04-21
Created 2 days ago on 2026-04-21

About

Detects AWS access keys that are used from both GitHub Actions CI/CD infrastructure and non-CI/CD infrastructure. This pattern indicates potential credential theft where an attacker who has stolen AWS credentials configured as GitHub Actions secrets and is using them from their own infrastructure.
Tags
Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS CloudTrailData Source: AWS IAMUse Case: Threat DetectionTactic: Initial AccessTactic: Lateral MovementLanguage: esql
Severity
high
Risk Score
73
MITRE ATT&CK™

Initial Access (TA0001)(external, opens in a new tab or window)

Valid Accounts (T1078)(external, opens in a new tab or window)

Lateral Movement (TA0008)(external, opens in a new tab or window)

Use Alternate Authentication Material (T1550)(external, opens in a new tab or window)

False Positive Examples
AWS credentials legitimately shared between GitHub Actions and another Microsoft/Azure service may trigger this rule. Verify whether the non-CI/CD source IP is expected for the workload. GitHub Actions self-hosted runners running on non-Microsoft/Amazon/Google infrastructure will appear as suspicious. Add the ASN of your self-hosted runner infrastructure to the is_cicd_infra allowlist.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

aws(external, opens in a new tab or window)

Query
text code block:
from logs-aws.cloudtrail-* metadata _id, _version, _index

| WHERE event.dataset == "aws.cloudtrail"
  AND aws.cloudtrail.user_identity.access_key_id IS NOT NULL
  AND @timestamp >= NOW() - 7 days
  AND source.as.organization.name IS NOT NULL

// AWS API key used from github actions 
| EVAL is_aws_github = user_agent.original LIKE "*aws-credentials-for-github-actions"

// non CI/CD related ASN 
| EVAL is_not_cicd_infra = not source.as.organization.name IN ("Microsoft Corporation", "Amazon.com, Inc.", "Amazon Technologies Inc.", "Google LLC")

| STATS Esql.is_github_aws_key = MAX(CASE(is_aws_github, 1, 0)),
        Esql.has_suspicious_asn = MAX(CASE(is_not_cicd_infra, 1, 0)),
        Esql.last_seen_suspicious_asn = MAX(CASE(is_not_cicd_infra, @timestamp, NULL)),
        Esql.source_ip_values = VALUES(source.address), 
        Esql.source_asn_values = VALUES(source.as.organization.name) BY aws.cloudtrail.user_identity.access_key_id, user.name, cloud.account.id

// AWS API key tied to a GH action used from unusual ASN (non CI/CD infra)
| WHERE Esql.is_github_aws_key == 1 AND  Esql.has_suspicious_asn == 1 

        // avoid alert duplicates within 1h interval
        AND Esql.last_seen_suspicious_asn >= NOW() - 1 hour

| KEEP user.name, aws.cloudtrail.user_identity.access_key_id, Esql.*

Install detection rules in Elastic Security

Detect AWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).