UpdateAccessKey
Event
Changes the status of an IAM user’s access key between Active and Inactive.
Security Context
- Creating long-lived access keys or credentials provides persistent access that survives password resets and session revocations.
Log Source
CloudTrail
Sample Event
MITRE ATT&CK Mapping
Tactics: Persistence
Techniques:
- T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups.
- T1098.001 — Additional Cloud Credentials — Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment. For example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azu...