AWS API calls indicating deletion of AWS access key
Description
AlphaSOC detected that an AWS access key was deleted using the DeleteAccessKey
action. This action permanently removes the access key for an AWS IAM user.
Threat actors often try to eliminate traces of their activity by deleting access
keys they've compromised, making it harder for cybersecurity specialists to
detect and investigate the breach.
Impact
Use of the DeleteAccessKey action may indicate an ongoing compromise, where
adversaries attempt to cover their tracks during the final stages of an attack.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review AWS CloudTrail logs, search for any unusual activity associated with the
key prior to its deletion, and verify whether the DeleteAccessKey action was
authorized. If any suspicious activity is detected, revoke permissions for the
AWS IAM user linked to the deleted access key, review the associated AWS IAM
policies, and investigate the full scope of actions performed using that key.