Skip to content

UpdateAccessKey

AWS

UpdateAccessKey

service: AWS - IAM
tactics:
techniques:

Event

Changes the status of an IAM user’s access key between Active and Inactive.

Security Context

  • Creating long-lived access keys or credentials provides persistent access that survives password resets and session revocations.

Log Source

CloudTrail

Sample Event

Adversarial. Draco reactivates a previously-deactivated access key on Hermione’s user (hermione). The key was disabled months ago when she rotated, but the AccessKeyId is still on her user — adversaries who learn old AccessKeyIds (e.g., from leaked git commits) can flip the status and use the corresponding secret if they have it (or, if they don’t, this primitive is most useful when paired with CreateAccessKey on the same user — see pilot draft). The narrower variant in this draft is deactivating Hermione’s currently-active key to break legitimate access while Draco operates — same UpdateAccessKey API, status set to Inactive. Modeling the deactivation case as more impactful for our cast.

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T18:51:02Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T21:18:24Z",
"eventSource": "iam.amazonaws.com",
"eventName": "UpdateAccessKey",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"userName": "hermione",
"accessKeyId": "AKIAHERM10NEEXAMPLE1",
"status": "Inactive"
},
"responseElements": null,
"requestID": "90000000-0000-4000-8000-000111000000",
"eventID": "90000000-0000-4000-8000-000111000001",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "iam.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Persistence

Techniques:
  • T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include accoun...