How do I investigate unauthorized IAM user or access key creation in my AWS account?

Resolution

Quickly resolve unauthorized IAM user or access key creation by identifying the compromised principal, determining what access was granted, and containing the threat.

Identify and analyze the unauthorized event

AWS CloudTrail records all IAM API calls in the AWS Region where the event happened. Use CloudTrail Event history to locate the event.

To review recent CloudTrail events, use the AWS Management Console.

To identify an unauthorized IAM user or access key creation, review the following event details:

• Review userIdentity.arn to identify the compromised principal
• Check that the sourceIPAddress has the correct location
• Confirm the userAgent shows the expected tool
• Verify the eventTime matches the expected timeframe

You can determine the credential type from the Amazon Resource Name (ARN) format in userIdentity.arn. The ARN format arn:aws:iam::ACCOUNT_ID:user/NAME indicates an IAM user. The ARN format arn:aws:iam::ACCOUNT_ID:root indicates the root user.

Note: If the root user made the call, then take immediate action to secure your root user credentials.

Check permissions granted to unauthorized entities

Review CloudTrail events for related events to determine access that was granted to unauthorized entities. Review the following event names:

• AttachUserPolicy
• PutUserPolicy
• AddUserToGroup
• CreateLoginProfile

Review each event to identify which permissions were granted. To review the service-level access history, use the console to view last accessed information for IAM.

Deactivate the compromised IAM user access key

Deactivate the access key to immediately reject all subsequent API requests that use it and block programmatic access through the CLI, SDK, and API. If the compromised IAM user also has an AWS Management Console password, which allows console sign-in, then block access to the console as well.

Collect evidence before deletion

After you delete an access key or user, you can no longer retrieve usage history. Before deleting, note the last usage of the specific access key. Determine whether the key was used and, if so, which service was called. To view this information, use the IAM console.

Remove the unauthorized IAM user and associated resources

Remove or deactivate the IAM user and all associated resources.

Implement security best practices

Apply least privilege permissions to all IAM users and roles. Grant the iam:CreateUser or iam:CreateAccessKey permissions only when necessary. If you use AWS Organizations, then use service control policies (SCPs) to restrict IAM user and access key creation to approved principals.

Activate multi-factor authentication (MFA) for IAM users, especially those with administrative permissions. Regularly rotate access keys and deactivate unused keys. Activate Amazon GuardDuty to continuously monitor for unusual IAM behavior.

For more information about security best practices, see Security best practices in IAM.