Identify activity and techniques associated with accessing credential files from AWS resources, monitor unusual authentication related activities to the AWS Console and other services such as RDS.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Authentication
- Last Updated: 2022-08-19
- Author: Gowthamaraj Rajendran, Bhavin Patel, Splunk
- ID: 4210b690-293f-411d-a9d8-bcfb2ea5fff9
Adversaries employ a variety of techniques to steal AWS Cloud credentials like account names, passwords and keys. Usage of legitimate keys will assist the attackers to gain access to other sensitive system and they can also mimic legitimate behaviour making them harder to be detected. Such activity may involve mulitple failed login to the console, new console logins and password reset activities.
source | version: 1