Skip to main content

An AWS access key was created by the root account

ID:aws_access_key_created_by_root
Data type:AWS CloudTrail
Severity:
Medium
-
High
MITRE ATT&CK:TA0003:T1098.001

Description

AlphaSOC detected that an AWS access key was created by the root account. Threat actors may create access keys to maintain persistent access to victim accounts and instances within the AWS environment. This action is especially concerning if the access key was created for the root user, as it has unrestricted access to all AWS resources, making it a prime target for threat actors.

Impact

The unexpected creation of an access key may indicate that threat actors are trying to maintain their foothold by creating additional methods to access compromised resources. If root credentials or other elevated-privilege credentials are compromised, threat actors could gain full control over the AWS environment, enabling them to create or delete resources, access sensitive data, host malicious infrastructure, and incur substantial financial costs.

Severity

SeverityCondition
Medium
An AWS access key was created
High
An AWS access key was created for the root user

Investigation and Remediation

Identify who created the access key and determine whether the action was authorized. Review AWS CloudTrail logs for any other suspicious activities. If the access key creation was unauthorized, delete the key and enforce a password reset for the affected account. As a best practice, avoid using long-term credentials such as access keys. Instead, utilize IAM roles and temporary credentials provided by the AWS Security Token Service (STS) whenever possible.

Known False Positives

  • Automated scripts or tools might attempt to create root access keys as part of a misconfigured setup process
  • Older workflows or applications might inadvertently create root access keys
  • Third-party tools or plugins may attempt to generate root access keys as part of integration or setup processes

Further Reading