AWS IAM Long-Term Access Key First Seen from Source IP

[metadata]
creation_date = "2026/04/06"
integration = ["aws"]
maturity = "production"
updated_date = "2026/04/10"

[rule]
author = ["Elastic"]
description = """
Identifies the first time, within the configured history window, that a long-term IAM access key ID (prefix AKIA) is
used successfully from a given source.ip in AWS CloudTrail. Long-term access keys belong to IAM users or the account
root user. They are a common target after credential theft or leakage, including supply-chain and exposed-key scenarios.
Temporary security credentials (prefix ASIA) and console sessions are excluded so the signal emphasizes programmatic
access patterns.
"""
false_positives = [
    """
    Legitimate users may travel, rotate through VPN egress IPs, or run automation from new build hosts, producing a
    first-seen IP for an existing access key. Baseline the principal, confirm with the key owner, and extend the history
    window or add exceptions for known automation networks if needed.
    """,
]
from = "now-6m"
index = ["logs-aws.cloudtrail-*"]
language = "kuery"
license = "Elastic License v2"
name = "AWS IAM Long-Term Access Key First Seen from Source IP"
note = """## Triage and analysis

### Investigating AWS IAM Long-Term Access Key First Seen from Source IP

This rule is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) detection on CloudTrail. It fires when a successful API call uses a long-term IAM access key (`AKIA*`) from a `source.ip` that has not appeared with that key in the rule history window.

Long-term keys are high-value targets. Unlike session credentials (`ASIA*`), they do not expire until rotated or deleted. Threat reporting on cloud compromises often highlights abuse of leaked or stolen `AKIA` keys.

### Possible investigation steps

**Confirm the key and principal**
- Identify the IAM user or root context implied by `aws.cloudtrail.user_identity.arn` or `user.name`.
- **`aws.cloudtrail.user_identity.type`**: Distinguish `IAMUser`, `Root`, or other types; root long-term keys warrant extra scrutiny.

**Assess the new source**
- **`source.ip`** and **`source.geo`**: Compare to normal geography, corporate egress, and known cloud provider ranges.
- **`user_agent.original`**: Identify AWS CLI, SDKs, custom tooling, or unusual agents.

**Correlate activity**
- Search CloudTrail for the same access key and IP over the following hours for sensitive APIs (IAM changes, STS, S3 data access, Secrets Manager, role assumption).
- Review IAM last-used metadata for the key in the AWS console or API (`GetAccessKeyLastUsed`).

### False positive analysis

- Travel and VP* for human IAM users.
- New CI runners, ephemeral build agents, or re-IP'd NAT gateways for automation keys.
- Partner or MSP access from new networks if keys are shared (discouraged practice).

### Response and remediation

- If unexpected, deactivate or delete the access key, rotate credentials, and review policies attached to the user.
- Enable or enforce MFA for console users; prefer roles and temporary credentials over long-term keys for workloads.
- Document approved networks or principals and tune history or exceptions accordingly.

### Additional information

- [AWS Security Incident Response Guide](https://docs.aws.amazon.com/whitepapers/latest/aws-security-incident-response-guide/aws-security-incident-response-guide.pdf)

"""
references = [
    "https://kudelskisecurity.com/research/investigating-two-variants-of-the-trivy-supply-chain-compromise",
]
risk_score = 47
rule_id = "9f8e3c5e-f72e-4e91-93f6-e98a4fae3e4f"
severity = "medium"
tags = [
    "Domain: Cloud",
    "Data Source: AWS",
    "Data Source: Amazon Web Services",
    "Data Source: AWS CloudTrail",
    "Data Source: AWS IAM",
    "Use Case: Threat Detection",
    "Tactic: Credential Access",
    "Tactic: Initial Access",
    "Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "new_terms"

query = '''
data_stream.dataset: "aws.cloudtrail"
    and event.outcome: "success"
    and source.ip:*
    and aws.cloudtrail.user_identity.access_key_id: AKIA*
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1552"
name = "Unsecured Credentials"
reference = "https://attack.mitre.org/techniques/T1552/"


[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"

[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"
[[rule.threat.technique.subtechnique]]
id = "T1078.004"
name = "Cloud Accounts"
reference = "https://attack.mitre.org/techniques/T1078/004/"

[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"

[rule.investigation_fields]
field_names = [
    "@timestamp",
    "user.name",
    "user_agent.original",
    "source.ip",
    "source.geo.city_name",
    "source.geo.country_iso_code",
    "source.as.organization.name",
    "aws.cloudtrail.user_identity.arn",
    "aws.cloudtrail.user_identity.type",
    "aws.cloudtrail.user_identity.access_key_id",
    "event.action",
    "event.outcome",
    "cloud.account.id",
    "cloud.region",
]

[rule.new_terms]
field = "new_terms_fields"
value = ["aws.cloudtrail.user_identity.access_key_id", "source.ip"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-10d"