AWS access key created unexpectedly
ID:aws_access_key_created_anomaly
Data type:AWS CloudTrail
Severity:
Informational
- Medium
MITRE ATT&CK:TA0003:T1098.001
Description
AlphaSOC detected that an AWS access key was created using the CreateAccessKey
action. Access keys are long term credentials that grant programmatic access to
AWS resources.
Impact
The unexpected creation of an access key may indicate an attempt by threat actors to maintain persistence. This could lead to data exfiltration, resource manipulation or deletion, malicious infrastructure deployment, and potential financial loss for the organization.
Severity
| Severity | Condition |
|---|---|
Informational | AWS access key created |
Low | Unexpected action, ASN, or user agent |
Medium | At least two unexpected properties at the same time |
Investigation and Remediation
Identify who created the access key and determine whether the action was authorized. Review AWS CloudTrail logs for any other suspicious activities. If the access key creation was unauthorized, delete the key and enforce a password reset for the affected account.