...
| Expand | ||
|---|---|---|
| ||
This search looks for AWS CloudTrail events where a user, who already has permission to create access keys, makes an API call to create access keys for a second user. Source table → |
| Expand | ||
|---|---|---|
| ||
A successful root account login was detected. This account should only be used to create initial IAM users or perform tasks only available to the root user. Using this account is against AWS security best practices. This detection filters by cloudtrail events with ConsoleLogin as eventName and userName equal to root. Source table → |
AWS CloudWatch alerts
| Expand | ||
|---|---|---|
| ||
This alert detects actions to get STS session tokens, which can be used to move laterally or escalate privileges in AWS. Source table → |
...