Skip to content

Add API key to existing IAM user

Author Last Update
Nick Jones 2020-06-18

An adversary may attempt to maintain access by creating an API key attached to an existing privileged user

MITRE IDs

Required Permissions

  • iam:CreateAccessKey

Required Parameters

Name Type Description Example Value
user str IAM user to generate the API key for root

Attacker Action

aws iam create-access-key --user-name root

Detection Case

ELK query

When logs are ingested into ELK, the following Lucene query can be used to identify relevant events.

eventName:CreateAccessKey AND eventSource:iam.amazonaws.com  

Sigma Definition

---
title: Add API key to existing IAM user
id: 1570ea27-492c-4615-a518-59155ba03416
status: experimental
author: Nick Jones
date: 2020-06-18
description: An adversary may attempt to maintain access by creating an API key attached to an existing privileged user
logsource:
  service: cloudtrail
detection:
  selection_source:
    - eventSource: "iam.amazonaws.com"
  events:
    - eventName: "CreateAccessKey"
  condition: selection_source AND events
level: low
tags:
  - attack.t1089