Query Details

AWS Cloud Trail Aws Createaccesskey

Query

let query_frequency = 1h;
let query_period = 2h;
AWSCloudTrail
| where TimeGenerated > ago(query_frequency)
| where EventName in ("CreateAccessKey", "DeleteAccessKey")
| extend UserName = tostring(todynamic(ResponseElements)["accessKey"]["userName"])
| join kind=leftanti (
    AWSCloudTrail
    | where TimeGenerated > ago(query_period)
    | where EventName == "CreateUser" and not(EventSource == "sso-directory.amazonaws.com")// and EventSource == "iam.amazonaws.com"
    | extend CreatedUserName = tostring(todynamic(RequestParameters)["userName"])
    ) on $left.UserName == $right.CreatedUserName, RecipientAccountId
| invoke AWSIdentityRole()
| project
    TimeGenerated,
    UserIdentityType,
    Identity,
    ActorRole,
    UserIdentityAccountId,
    UserIdentityAccountName,
    RecipientAccountId,
    RecipientAccountName,
    AWSRegion,
    SessionCreationDate,
    UserIdentityPrincipalid,
    UserIdentityArn,
    SourceIpAddress,
    EventSource,
    EventTypeName,
    EventName,
    ManagementEvent,
    ReadOnly,
    ErrorCode,
    ErrorMessage,
    UserName,
    RequestParameters,
    ResponseElements,
    Resources,
    SessionMfaAuthenticated,
    UserAgent,
    AwsEventId

Explanation

This query is designed to analyze AWS CloudTrail logs to identify specific user activities related to access keys and user creation. Here's a simplified breakdown of what the query does:

  1. Define Timeframes:

    • query_frequency is set to 1 hour, and query_period is set to 2 hours. These are used to filter events based on when they occurred.
  2. Filter Recent Events:

    • The query looks at AWS CloudTrail logs for the past hour (query_frequency) to find events where access keys were created or deleted (EventName is "CreateAccessKey" or "DeleteAccessKey").
  3. Extract User Information:

    • For these events, it extracts the UserName from the response elements of the logs.
  4. Identify Unmatched Users:

    • It performs a left anti join with another set of logs from the past two hours (query_period) where users were created (EventName is "CreateUser"), excluding those created by "sso-directory.amazonaws.com".
    • This join helps identify access key activities for users who were not recently created.
  5. Invoke Additional Role Information:

    • The query calls a function AWSIdentityRole() to get more details about the roles associated with the activities.
  6. Select Relevant Information:

    • Finally, it projects (selects) various fields to display, such as the time of the event, user identity details, account information, event source, and other relevant metadata.

In summary, this query identifies access key creation or deletion activities for users who were not newly created in the last two hours, providing detailed information about these events and the associated user identities.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: March 11, 2024

Tables

AWSCloudTrail

Keywords

AWSCloudTrail

Operators

letagointostringtodynamicjoinkind=leftantioninvokeprojectwhereextend==!=>andnot

Actions

GitHub