EXPLORE
Sign In
← Back to Explore
splunk_escuHunting

AWS CreateAccessKey

The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.

MITRE ATT&CK

T1136.003

Detection Query

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
  | eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
  | search match=0
  | rename user_name as user
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY signature dest user
       user_agent src vendor_account
       vendor_region vendor_product
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `aws_createaccesskey_filter`

Author

Bhavin Patel, Splunk

Created

2026-02-25

Data Sources

AWS CloudTrail CreateAccessKey

References

Tags

AWS IAM Privilege Escalation
Raw Content
name: AWS CreateAccessKey
id: 2a9b80d3-6340-4345-11ad-212bf3d0d111
version: 10
date: '2026-02-25'
author: Bhavin Patel, Splunk
status: production
type: Hunting
description: The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
data_source:
    - AWS CloudTrail CreateAccessKey
search: |-
    `cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
      | eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
      | search match=0
      | rename user_name as user
      | stats count min(_time) as firstTime max(_time) as lastTime
        BY signature dest user
           user_agent src vendor_account
           vendor_region vendor_product
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `aws_createaccesskey_filter`
how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.
known_false_positives: While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user.
references:
    - https://bishopfox.com/blog/privilege-escalation-in-aws
    - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/
tags:
    analytic_story:
        - AWS IAM Privilege Escalation
    asset_type: AWS Account
    mitre_attack_id:
        - T1136.003
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: network
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_createaccesskey/aws_cloudtrail_events.json
          sourcetype: aws:cloudtrail
          source: aws_cloudtrail