aws detect permanent key creation

Name:aws detect permanent key creation
id:12d6d713-3cb4-4ffc-a064-1dca3d1cca01
version:3
date:2024-10-17
author:Rod Soto, Splunk
status:experimental
type:Hunting
Description:The following analytic detects the creation of permanent access keys in AWS accounts. It leverages CloudWatch logs to identify events where the `CreateAccessKey` action is performed by IAM users. Monitoring the creation of permanent keys is crucial as they are not created by default and are typically used for programmatic access. If confirmed malicious, this activity could allow attackers to gain persistent access to AWS resources, potentially leading to unauthorized actions and data exfiltration.
Data_source:

search:`aws_cloudwatchlogs_eks` CreateAccessKey
| spath eventName
| search eventName=CreateAccessKey "userIdentity.type"=IAMUser
| table sourceIPAddress userName userIdentity.type userAgent action status responseElements.accessKey.createDate responseElements.accessKey.status responseElements.accessKey.accessKeyId |`aws_detect_permanent_key_creation_filter`

how_to_implement:You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs
known_false_positives:Not all permanent key creations are malicious. If there is a policy of rotating keys this search can be adjusted to provide better context.
References:
drilldown_searches:
  :
tags:
  analytic_story:
    - 'AWS Cross Account Activity'
  asset_type:AWS Account
  confidence:50
  impact:50
  message:tbd
  mitre_attack_id:
    - 'T1078'
  observable:
    name:'user'
    type:'User'
    - role:
      - 'Victim'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  required_fields:
    - '_time'
    - 'eventName'
    - 'userIdentity.type'
    - 'sourceIPAddress'
    - 'userName userIdentity.type'
    - 'userAgent'
    - 'action'
    - 'status'
    - 'responseElements.accessKey.createDate'
    - 'esponseElements.accessKey.status'
    - 'responseElements.accessKey.accessKeyId'
  risk_score:25
  security_domain:threat

tests:
  :
manual_test:None