AWS access key used to delete itself unexpectedly
Description
AlphaSOC detected that an AWS access key was used to delete itself using the
DeleteAccessKey action. This action permanently removes the access key for an
AWS IAM user. Threat actors often try to eliminate traces of their activity by
deleting access keys they've compromised, making it harder for cybersecurity
specialists to detect and investigate the breach.
Impact
Use of the DeleteAccessKey action by the key being deleted may indicate an
ongoing compromise, where adversaries attempt to cover their tracks during the
final stage of an attack.
Severity
| Severity | Condition |
|---|---|
Low | AWS access key used to delete itself |
Medium | AWS access key used to delete itself unexpectedly |
Investigation and Remediation
Review AWS CloudTrail logs to identify all actions performed using the deleted access key, search for any unusual activity associated with the key prior to its deletion, and verify whether the key deletion was authorized. If any malicious activity is detected, review all associated AWS IAM policies, restrict access for the AWS IAM user linked to the deleted access key, and conduct a thorough security audit of the AWS environment to identify and address any potential compromises.