AWS Static Access Key Used

Overview

This detector monitors CloudTrail events and identifies when access keys are used in your account. Issues are automatically resolved after a configurable period of time (default: 120 minutes) so repeated activity opens a new issue.

Access keys are long-lived static credentials that present significant risk if compromised. It is often possible and safer to use IAM Roles and temporary tokens instead.

Replacing compromised access keys in production systems can also cause significant operational disruption, even if the security impact is contained. For example, if AWS Security discovers a publicly exposed access key (example: committed to a public code repository) for your account, they may disable or revoke the key. If keys are embedded in application code, replacing them could require significant and unexpected effort.

Some common scenarios where access keys may be stored insecurely:

• Embedded in application code (and likely stored in version control)
• Checked into version control as part of a local configuration file
• Stored on developer and administrator systems
• Stored in instances or containers (and their images)
• Stored in snapshots, saved scripts, and other storage

The AWS General Reference Guide provides valuable advice on how to use IAM Roles and temporary tokens instead of static access keys for many use cases.

You can learn more about the risks posed by static access keys, and how to mitigate risk on the Cloud Defense blog.

This event could be an indication of initial access through a valid account

Vendor

AWS

Severity

3