Skip to content

CreateAccessKey

AWS

CreateAccessKey

service: AWS - IAM
techniques:

Event

Creates a new long-term access key for an IAM user, enabling programmatic access to AWS services.

Security Context

  • Creating long-lived access keys or credentials provides persistent access that survives password resets and session revocations.
  • Accessing credential stores is a high-priority adversary objective that can unlock access to additional services, accounts, and environments.

Log Source

CloudTrail

Sample Event

Hermione (IAM admin) provisions a long-term access key for Ron in the production account so he can run an OCCAMY pipeline migration from his dev workstation. Cross-user CreateAccessKey is a routine admin task in this org but is exactly the shape privilege-escalation detections fire on (userIdentity.userNamerequestParameters.userName).

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAHERM10NE000ADM1N",
"arn": "arn:aws:iam::555123456789:user/hermione",
"accountId": "555123456789",
"accessKeyId": "AKIAHERM10NEEXAMPLE1",
"userName": "hermione",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T13:42:11Z",
"mfaAuthenticated": "true"
}
}
},
"eventTime": "2026-04-15T14:07:33Z",
"eventSource": "iam.amazonaws.com",
"eventName": "CreateAccessKey",
"awsRegion": "us-east-1",
"sourceIPAddress": "198.51.100.42",
"userAgent": "aws-cli/2.15.30 Python/3.11.6 Linux/5.15.0-1052-aws exe/x86_64.ubuntu.22 prompt/off command/iam.create-access-key",
"requestParameters": {
"userName": "ron"
},
"responseElements": {
"accessKey": {
"userName": "ron",
"accessKeyId": "AKIAR0NWEA5LEYEXAMP2",
"status": "Active",
"createDate": "Apr 15, 2026 2:07:33 PM"
}
},
"requestID": "90000000-0000-4000-8000-000000000001",
"eventID": "90000000-0000-4000-8000-000000000010",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "iam.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Persistence Credential Access

Techniques:
  • T1098.001 — Additional Cloud Credentials — Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.