AWS access key creation by previously unseen identity

cloudtrail

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect when an AWS access key is created by an unfamiliar identity.

Strategy

This rule monitors Cloudtrail logs for CreateAccessKey API calls made by an AWS identity. An attacker may create an AWS access key to maintain persistence in the account.

Note: This rule uses the New Value detection method to determine when a previously unseen AWS identity is observed performing this action.

Triage & response

  1. Determine if the API call: {{@evt.name}} should have been performed by the identity: {{@userIdentity.arn}}:
    • Contact the owner of the identity to confirm if they made the API call.
  2. If the API call was not made by the identity:
    • Rotate the identity credentials.
    • Determine what actions were taken by the identity and the new access keys created.
    • Begin your organization’s incident response process and investigate.
  3. If the API call was made legitimately by the identity:
    • Work with the owner of the identity to understand if a long term credential is the best way to meet their use case.
    • As a best practice AWS recommends using temporary security credentials (IAM roles) instead of creating long-term credentials like access keys.
PREVIEWING: dgreen15/github-error-fix