Link Search Menu Expand Document

AWS_Key_Compromised

ID: 100129

Description:

An AWS access key ID was uploaded to a public github repo

Repository: Group: AWS Type: event

Default Status:

Enabled

Tags:
AWS
 

Selector:

Query:

Filters:

Field MUST hit
@cloudtrail.eventName PutUserPolicy
@cloudtrail.requestParameters.policyName AWSExposedCredentialPolicy
Field MUST NOT hit
   

Behavior Rule:

Key Type Behavior Category
@cloudtrail.userIdentity.arn username security alert

Risks:

Risks Base Score Dimension
Timeline 0 -

Attributes:

Alias Key
AccountID @cloudtrail.recipientAccountId
Type @cloudtrail.userIdentity.type
Region @cloudtrail.awsRegion
ClientIP @cloudtrail.sourceIPAddress
UserAgent @cloudtrail.userAgent
Username @cloudtrail.userIdentity.userName
KeyID @cloudtrail.userIdentity.accessKeyId

Correlation Rules:

First Occurrence:

Name Window Fields
NewUser 10 days @cloudtrail.userIdentity.userName
  Risks: ML_NEW_USER

History:

| User | Date | | :— | :— | | — | — |

This page was automatically created/formatted on Tue, 2021 Oct 19 00:29:17 EDT, from rule_dump.json (db47c470500ce8686ead334f5eda0596)