title: Creation of AWS API keys for users.
id: 0a5177f4-6ca9-44c2-aacf-d3f3d8b6e4d2
status: experimental
author: faloker
date: 2020/02/12
description: Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.
references:
    - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/iam__backdoor_users_keys/main.py#L6
logsource:
    service: cloudtrail
detection:
    selection_source:
        - eventSource: iam.amazonaws.com
    selection_eventname:
        - eventName: CreateAccessKey
    filter:
        userIdentity.arn|contains: responseElements.accessKey.userName
    condition: all of selection* and not filter
fields:
    - userIdentity.arn
    - responseElements.accessKey.userName
    - errorCode
    - errorMessage
level: medium
falsepositives:
    - Adding user keys to their own accounts (the filter cannot cover all possible variants of user naming)
    - AWS API keys legitimate exchange workflows
tags:
    - attack.t1098