Access Key Deleted

This alert occurs when Lacework detects the deletion of an existing access key.

Why this Alert is Important

Access keys are one of the most common means of authentication used in AWS. A leaked access key can give any attacker access to your environment. Also, whenever an account is compromised, the attacker wants to maintain and tries to elevate privileges by creating a new access key. A deleted access key can cause a loss of availability for a legitimate user/application.

Investigation

Examine the details of the user who triggered the access key creation/deletion. Examining the user deeper could provide other details such as the source IP from where the user logged in. This would help to investigate if someone was trying to impersonate the user. Also, search for any new users created or EC-2 instances spun up to maintain persistence by the attacker.

Resolution

Check that access key modification was done by a legitimate user/administrator. Limiting access key creation/ deletion to only privileged users can reduce the exposure of this incident.

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html

Why this Alert is Important​

Investigation​

Resolution​

Related Information​

Why this Alert is Important

Investigation

Resolution

Related Information