
Summary
This detection rule monitors AWS CloudTrail logs to identify instances where an access key has been created within the last two hours. The creation of access keys can denote a method for attackers to establish long-term access to AWS resources, thereby posing a significant security risk. The rule utilizes a SQL-like syntax to query the CloudTrail logs, focusing on the 'CreateAccessKey' event. By tracking such events, organizations can detect potential unauthorized access to their AWS environment and respond promptly to mitigate threats. The identification of the creation of access keys is associated with techniques that leverage account manipulation for persistence, highlighting a common tactic used by threat actors. This specific event monitoring can assist in protecting cloud environments from compromise by ensuring that any creation of access keys is reviewed and verified.
Categories
- Cloud
- AWS
Data Sources
- Cloud Storage
- Application Log
- Network Traffic
ATT&CK Techniques
- T1098
Created: 2024-02-09