An AWS access key was created by the root account
Description
AlphaSOC detected that an AWS access key was created by the root account. Threat actors may create access keys to maintain persistent access to victim accounts and instances within the AWS environment. This action is especially concerning if the access key was created for the root user, as it has unrestricted access to all AWS resources, making it a prime target for threat actors.
Impact
The unexpected creation of an access key may indicate that threat actors are trying to maintain their foothold by creating additional methods to access compromised resources. If root credentials or other elevated-privilege credentials are compromised, threat actors could gain full control over the AWS environment, enabling them to create or delete resources, access sensitive data, host malicious infrastructure, and incur substantial financial costs.
Severity
Severity | Condition |
---|---|
Medium | An AWS access key was created |
High | An AWS access key was created for the root user |
Investigation and Remediation
Identify who created the access key and determine whether the action was authorized. Review AWS CloudTrail logs for any other suspicious activities. If the access key creation was unauthorized, delete the key and enforce a password reset for the affected account. As a best practice, avoid using long-term credentials such as access keys. Instead, utilize IAM roles and temporary credentials provided by the AWS Security Token Service (STS) whenever possible.
Known False Positives
- Automated scripts or tools might attempt to create root access keys as part of a misconfigured setup process
- Older workflows or applications might inadvertently create root access keys
- Third-party tools or plugins may attempt to generate root access keys as part of integration or setup processes