AWS Cloud Trail Aws Createaccesskey
Query
let query_frequency = 1h;
let query_period = 2h;
AWSCloudTrail
| where TimeGenerated > ago(query_frequency)
| where EventName in ("CreateAccessKey", "DeleteAccessKey")
| extend UserName = tostring(todynamic(ResponseElements)["accessKey"]["userName"])
| join kind=leftanti (
AWSCloudTrail
| where TimeGenerated > ago(query_period)
| where EventName == "CreateUser" and not(EventSource == "sso-directory.amazonaws.com")// and EventSource == "iam.amazonaws.com"
| extend CreatedUserName = tostring(todynamic(RequestParameters)["userName"])
) on $left.UserName == $right.CreatedUserName, RecipientAccountId
| invoke AWSIdentityRole()
| project
TimeGenerated,
UserIdentityType,
Identity,
ActorRole,
UserIdentityAccountId,
UserIdentityAccountName,
RecipientAccountId,
RecipientAccountName,
AWSRegion,
SessionCreationDate,
UserIdentityPrincipalid,
UserIdentityArn,
SourceIpAddress,
EventSource,
EventTypeName,
EventName,
ManagementEvent,
ReadOnly,
ErrorCode,
ErrorMessage,
UserName,
RequestParameters,
ResponseElements,
Resources,
SessionMfaAuthenticated,
UserAgent,
AwsEventIdExplanation
This query is designed to analyze AWS CloudTrail logs to identify specific user activities related to access keys and user creation. Here's a simplified breakdown of what the query does:
-
Define Timeframes:
query_frequencyis set to 1 hour, andquery_periodis set to 2 hours. These are used to filter events based on when they occurred.
-
Filter Recent Events:
- The query looks at AWS CloudTrail logs for the past hour (
query_frequency) to find events where access keys were created or deleted (EventNameis "CreateAccessKey" or "DeleteAccessKey").
- The query looks at AWS CloudTrail logs for the past hour (
-
Extract User Information:
- For these events, it extracts the
UserNamefrom the response elements of the logs.
- For these events, it extracts the
-
Identify Unmatched Users:
- It performs a left anti join with another set of logs from the past two hours (
query_period) where users were created (EventNameis "CreateUser"), excluding those created by "sso-directory.amazonaws.com". - This join helps identify access key activities for users who were not recently created.
- It performs a left anti join with another set of logs from the past two hours (
-
Invoke Additional Role Information:
- The query calls a function
AWSIdentityRole()to get more details about the roles associated with the activities.
- The query calls a function
-
Select Relevant Information:
- Finally, it projects (selects) various fields to display, such as the time of the event, user identity details, account information, event source, and other relevant metadata.
In summary, this query identifies access key creation or deletion activities for users who were not newly created in the last two hours, providing detailed information about these events and the associated user identities.
Details

Jose Sebastián Canós
Released: March 11, 2024
Tables
AWSCloudTrail
Keywords
AWSCloudTrail
Operators
letagointostringtodynamicjoinkind=leftantioninvokeprojectwhereextend==!=>andnot