AWS Access Key ID
Service Name: Amazon Web Services
Service Description: Amazon Web Services (AWS) is a comprehensive cloud platform offering over 200 fully featured services from data centers globally. AWS Access Key IDs are part of the credential pair used for programmatic access to AWS services.
Service Address: https://aws.amazon.com/
Validation Type: API Auth, NHI Enriched
IP Allow list: IP Restriction is available per service using Security Groups, VPCs, or IAM policy conditions.
Secret Access Scope: Grants programmatic access to AWS resources and services based on the permissions assigned to the associated IAM user or role.
Secret Revokement URL: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey
Secret Example: AKIAIOSFODNN7EXAMPLE
Suspicious Activity Investigation Instructions:
- Review CloudTrail logs for unusual API calls or resource access using this key.
- Check AWS Cost Explorer for unexpected spikes in usage or costs.
- Use AWS IAM Access Analyzer to identify resources shared with external entities.
- Examine the AWS Console for unusual activity, resource creation, or modification.
- Verify the last used information for the access key in the IAM console.
- Check for unauthorized EC2 instances, Lambda functions, or other compute resources.
Mitigation Instructions:
- Immediately deactivate the compromised access key in the IAM console.
- Create a new access key if needed before deleting the compromised one.
- Rotate all potentially affected secrets and credentials.
- Review and update IAM policies to enforce the Principle of Least Privilege.
- Enable AWS CloudTrail if not already enabled to monitor API activity.
- Implement multi-factor authentication for IAM users.
- Consider using AWS Security Token Service (STS) for temporary credentials instead of long-term access keys.
- Set up AWS Config rules to monitor for compliance violations.
- Implement automated key rotation using AWS Secrets Manager.