Detection rules › Panther
AWS IAM Access Key Compromise Detection
This alert occurs when AWS has detected exposed credentials. It attaches a policy to deny certain actions, effectively quarantining those credentials, and is accompanied by a support case with instructions for detaching the policy.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1552 Unsecured Credentials |
Rules detecting the same action
Other rules on this platform that filter on the same API call or operation.
- AWSCloudTrail - Privilege escalation via CloudFormation policy (Kusto)
- AWSCloudTrail - Privilege escalation via CRUD DynamoDB policy (Kusto)
- AWSCloudTrail - Privilege escalation via CRUD IAM policy (Kusto)
- AWSCloudTrail - Privilege escalation via CRUD KMS policy (Kusto)
- AWSCloudTrail - Privilege escalation via CRUD Lambda policy (Kusto)
- AWSCloudTrail - Privilege escalation via CRUD S3 policy (Kusto)
- AWSCloudTrail - Privilege escalation via DataPipeline policy (Kusto)
- AWSCloudTrail - Privilege escalation via EC2 policy (Kusto)
Rule body yaml
AnalysisType: rule
Filename: aws_key_compromised.py
RuleID: "AWS.IAM.AccessKeyCompromised"
DisplayName: "AWS IAM Access Key Compromise Detection"
Enabled: true
LogTypes:
- AWS.CloudTrail
Reports:
MITRE ATT&CK:
- TA0006:T1552
Tags:
- AWS
- Credential Access:Unsecured Credentials
Severity: High
Description: This alert occurs when AWS has detected exposed credentials. It attaches a policy to deny certain actions, effectively quarantining those credentials, and is accompanied by a support case with instructions for detaching the policy.
Runbook: Determine the IAM user who owns the key, rotate/disable/delete the key, and then investigate which actions were taken by the compromised key to determine scope and if any remediation is needed.
Reference: https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning
Tests:
- Name: An AWS IAM Access Key was Compromised
ExpectedResult: true
Log:
{
"eventSource": "iam.amazonaws.com",
"recipientAccountId": "123456789012",
"responseElements": null,
"userIdentity":
{
"type": "IAMUser",
"userName": "compromised_user",
"principalId": "XXXXXXXXXXXXXXXXXXX",
"accessKeyId": "XXXXXXXXXXXXXXXXXXXXX",
"arn": "arn:aws:iam::123456789012:user/compromised_user",
"accountId": "123456789012",
},
"eventName": "PutUserPolicy",
"eventVersion": "1.05",
"userAgent": "aws-internal/3 aws-sdk-java/1.11.706 Linux/4.9.184-0.1.ac.235.83.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.242-b08 java/1.8.0_242 vendor/Oracle_Corporation",
"requestParameters":
{
"policyDocument": '{"Version":"2012-10-17","Statement":[{"Sid":"Stmt1538161409","Effect":"Deny","Action":["lambda:CreateFunction","iam:AttachUserPolicy","iam:PutUserPolicy","organizations:InviteAccountToOrganization","ec2:RunInstances","iam:DetachUserPolicy","iam:CreateUser","lightsail:Create*","lightsail:Update*","ec2:StartInstances","ec2:RequestSpotInstances","iam:ChangePassword","iam:CreateLoginProfile","organizations:CreateOrganization","organizations:CreateAccount","lightsail:Delete*","iam:AttachGroupPolicy","iam:CreateAccessKey","iam:UpdateUser","iam:UpdateAccountPasswordPolicy","iam:DeleteUserPolicy","iam:PutUserPermissionsBoundary","iam:UpdateAccessKey","lightsail:DownloadDefaultKeyPair","iam:CreateInstanceProfile","lightsail:Start*","lightsail:GetInstanceAccessDetails","iam:CreateRole","iam:PutGroupPolicy","iam:AttachRolePolicy"],"Resource":["*"]}]}',
"userName": "compromised_user",
"policyName": "AWSCompromisedKeyQuarantineV3",
},
"eventID": "1c2a53d1-58cc-41b3-85b8-bd7565370e0d",
"eventType": "AwsApiCall",
"sourceIPAddress": "72.21.217.97",
"awsRegion": "us-east-1",
"requestID": "27ca92a5-61cc-44aa-b875-042a25310064",
"eventTime": "2020-04-10T06:22:08Z",
}
- Name: Request Param is null
ExpectedResult: false
Log:
{
"eventSource": "iam.amazonaws.com",
"recipientAccountId": "123456789012",
"responseElements": null,
"userIdentity":
{
"type": "IAMUser",
"userName": "compromised_user",
"principalId": "XXXXXXXXXXXXXXXXXXX",
"accessKeyId": "XXXXXXXXXXXXXXXXXXXXX",
"arn": "arn:aws:iam::123456789012:user/compromised_user",
"accountId": "123456789012",
},
"eventName": "PutUserPolicy",
"eventVersion": "1.05",
"userAgent": "aws-internal/3 aws-sdk-java/1.11.706 Linux/4.9.184-0.1.ac.235.83.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.242-b08 java/1.8.0_242 vendor/Oracle_Corporation",
"requestParameters": null,
"eventID": "1c2a53d1-58cc-41b3-85b8-bd7565370e0d",
"eventType": "AwsApiCall",
"sourceIPAddress": "72.21.217.97",
"awsRegion": "us-east-1",
"requestID": "27ca92a5-61cc-44aa-b875-042a25310064",
"eventTime": "2020-04-10T06:22:08Z",
}
Detection logic
Condition
eventName eq "PutUserPolicy"
requestParameters.policyName in ["AWSExposedCredentialPolicy_DO_NOT_REMOVE", "AWSCompromisedKeyQuarantine", "AWSCompromisedKeyQuarantineV2", "AWSCompromisedKeyQuarantineV3"]
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
eventName | eq |
|
requestParameters.policyName | in |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
eventName | |
eventSource | |
awsRegion | |
recipientAccountId | |
sourceIPAddress | |
userAgent | |
userIdentity | |
userName | userIdentity.userName |
accessKeyId | userIdentity.accessKeyId |