CreateAccessKey
AWS
CreateAccessKey
Event
Creates a new long-term access key for an IAM user, enabling programmatic access to AWS services.
Security Context
- Creating long-lived access keys or credentials provides persistent access that survives password resets and session revocations.
- Accessing credential stores is a high-priority adversary objective that can unlock access to additional services, accounts, and environments.
Log Source
CloudTrail
Sample Event
Hermione (IAM admin) provisions a long-term access key for Ron in the production account so he can run an OCCAMY pipeline migration from his dev workstation. Cross-user CreateAccessKey is a routine admin task in this org but is exactly the shape privilege-escalation detections fire on (userIdentity.userName ≠ requestParameters.userName).
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDAHERM10NE000ADM1N", "arn": "arn:aws:iam::555123456789:user/hermione", "accountId": "555123456789", "accessKeyId": "AKIAHERM10NEEXAMPLE1", "userName": "hermione", "sessionContext": { "attributes": { "creationDate": "2026-04-15T13:42:11Z", "mfaAuthenticated": "true" } } }, "eventTime": "2026-04-15T14:07:33Z", "eventSource": "iam.amazonaws.com", "eventName": "CreateAccessKey", "awsRegion": "us-east-1", "sourceIPAddress": "198.51.100.42", "userAgent": "aws-cli/2.15.30 Python/3.11.6 Linux/5.15.0-1052-aws exe/x86_64.ubuntu.22 prompt/off command/iam.create-access-key", "requestParameters": { "userName": "ron" }, "responseElements": { "accessKey": { "userName": "ron", "accessKeyId": "AKIAR0NWEA5LEYEXAMP2", "status": "Active", "createDate": "Apr 15, 2026 2:07:33 PM" } }, "requestID": "90000000-0000-4000-8000-000000000001", "eventID": "90000000-0000-4000-8000-000000000010", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "iam.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Persistence Credential Access
Techniques:
- T1098.001 — Additional Cloud Credentials — Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.