AWS API calls indicating creation of AWS API Gateway key
Description
AlphaSOC detected that an AWS API Gateway key was created using the
CreateApiKey action. This action generates a new API key in AWS API Gateway,
which can be used to authenticate and control API access. Adversaries may create
such keys to maintain persistent access to the account or bypass security
controls.
Impact
Unauthorized creation of AWS API Gateway keys may indicate that threat actors have gained initial access to the AWS account and are attempting to maintain persistence. This can lead to data breaches, service disruptions, or further compromise of the AWS environment.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review AWS CloudTrail logs to identify who performed the CreateApiKey action
and verify whether it was authorized. If unauthorized, delete the API key using
the DeleteApiKey action, revoke permissions from the AWS IAM user or role who
created it, and investigate for signs of further compromise.