CreateKeyPair
AWS
CreateKeyPair
Event
Creates an EC2 key pair and returns the private key material, used for SSH authentication to EC2 instances.
Security Context
- Creating long-lived access keys or credentials provides persistent access that survives password resets and session revocations.
- Lateral movement techniques allow adversaries to expand their foothold by accessing additional systems and services within the environment.
Log Source
CloudTrail
Sample Event
Adversarial. Draco creates a new EC2 key pair (draco-backup-666) to use as a persistence path. Once RunInstances is later called specifying this key, or the key is associated with existing instances via user-data manipulation, Draco can SSH in directly. Source IP and user agent are the canonical adversary fingerprint.
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T18:51:02Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T23:21:08Z", "eventSource": "ec2.amazonaws.com", "eventName": "CreateKeyPair", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": { "keyName": "draco-backup-666", "keyType": "rsa", "keyFormat": "pem" }, "responseElements": { "requestId": "90000000-0000-4000-8000-000010001110", "keyName": "draco-backup-666", "keyFingerprint": "1f:51:ae:28:bf:89:e9:d8:1f:25:5d:37:2d:7d:b8:ca:9f:f5:f1:6f", "keyPairId": "key-0666backupkey6666" }, "requestID": "90000000-0000-4000-8000-000010001110", "eventID": "90000000-0000-4000-8000-000010001111", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "ec2.us-east-1.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Persistence Lateral Movement
Techniques:
- T1098.004 — SSH Authorized Keys — Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host. Linux distributions, macOS, and ESXi hypervisors commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The <code>authorized_keys</...
- T1021.004 — SSH — Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.