Access Key Deleted
This alert occurs when Lacework detects the deletion of an existing access key.
Why this Alert is Important
Access keys are one of the most common means of authentication used in AWS. A leaked access key can give any attacker access to your environment. Also, whenever an account is compromised, the attacker wants to maintain and tries to elevate privileges by creating a new access key. A deleted access key can cause a loss of availability for a legitimate user/application.
Investigation
Examine the details of the user who triggered the access key creation/deletion. Examining the user deeper could provide other details such as the source IP from where the user logged in. This would help to investigate if someone was trying to impersonate the user. Also, search for any new users created or EC-2 instances spun up to maintain persistence by the attacker.
Resolution
Check that access key modification was done by a legitimate user/administrator. Limiting access key creation/ deletion to only privileged users can reduce the exposure of this incident.
Related Information
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html