AWS IAM Long-Term Access Key First Seen from Source IP
The rule identifies the first time a long-term IAM access key ID (prefix AKIA) is used successfully from a given source.ip in AWS CloudTrail, indicating potential credential compromise.
This detection rule identifies the first time, within a configured history window, that a long-term IAM access key ID (prefix AKIA) is used successfully from a given source.ip in AWS CloudTrail. Long-term access keys belong to IAM users or the account root user. They are a common target after credential theft or leakage, including supply-chain and exposed-key scenarios. The rule excludes temporary security credentials (prefix ASIA) and console sessions to emphasize programmatic access patterns. The default history window for this rule is 6 months. This activity can indicate compromised credentials being used from a new, unexpected location.
Attack Chain
- An attacker gains access to a long-term AWS IAM access key (AKIA...). This could be through credential theft, a supply chain compromise (e.g., via leaked secrets in code), or an exposed key scenario.
- The attacker uses the stolen AWS IAM key to make an API request to AWS.
- AWS CloudTrail logs the API request, including the source IP address.
- The detection rule analyzes CloudTrail logs, specifically looking for successful API calls.
- The rule checks if the combination of access key and source IP has been seen before within the configured history window (default 6 months).
- If the access key is used from a source IP that has not been seen before, the rule triggers.
- The attacker attempts to perform privileged actions using the compromised key, such as modifying IAM policies, accessing S3 buckets, or assuming roles.
- The attacker achieves their objective: data exfiltration, resource takeover, or denial of service.
Impact
Compromised IAM credentials can lead to significant security breaches, including unauthorized access to sensitive data, modification or deletion of critical resources, and potential financial losses. If successful, attackers can gain a foothold in the AWS environment and move laterally to other services and resources. This can lead to data breaches, service disruptions, and reputational damage.
Recommendation
- Deploy the Sigma rule below to your SIEM and tune the history window for your environment.
- Investigate any alerts generated by the "AWS IAM Long-Term Access Key First Seen from Source IP" Sigma rule, focusing on the user identity and source IP.
- Review IAM last-used metadata for the key in the AWS console or API (
GetAccessKeyLastUsed) to confirm the key's usage. - If unexpected activity is detected, deactivate or delete the access key, rotate credentials, and review policies attached to the user.
- Enable or enforce MFA for console users and prefer roles and temporary credentials over long-term keys for workloads as described in the AWS Security Incident Response Guide.
Detection coverage 2
AWS IAM Access Key Used From New Source IP
mediumDetects when an AWS IAM access key is used from a previously unseen source IP address based on CloudTrail logs.
AWS IAM Root Account Access Key Usage
highDetects the usage of root account access keys, which is highly discouraged.
Detection queries are available on the platform. Get full rules →