Add API key to existing IAM user¶
An adversary may attempt to maintain access by creating an API key attached to an existing privileged user
|user||str||IAM user to generate the API key for||root|
aws iam create-access-key --user-name root
When logs are ingested into ELK, the following Lucene query can be used to identify relevant events.
eventName:CreateAccessKey AND eventSource:iam.amazonaws.com
--- title: Add API key to existing IAM user id: 1570ea27-492c-4615-a518-59155ba03416 status: experimental author: Nick Jones date: 2023-07-01 description: An adversary may attempt to maintain access by creating an API key attached to an existing privileged user logsource: service: cloudtrail detection: selection_source: - eventSource: "iam.amazonaws.com" events: - eventName: "CreateAccessKey" condition: selection_source AND events level: low tags: - attack.T1098