0

In our scenario, We previously had some AWS keys. The IAM interface show/showed no usage for it but the employee has been able to upload resources. Could anyone advise how to check if the interface is just erring or if they were perhaps not using these credentials?

The ATHENA Queries I was tried

SELECT eventTime, eventName, userIdentity.principalId,eventSource
FROM athena-table
WHERE useridentity.accesskeyid like 'AKIAIOSFODNN7EXAMPLE'

SELECT *
FROM athena-table
WHERE useridentity.type = 'IAMUser'
AND useridentity.username LIKE 'Alice';

In the IAM Console Last activity is shown as Never.

We'll be deleting that user but prior to doing that I wanted to see how she was using the account without logging. Is there a better way to find out this?

samtech 2021
  • 81
  • 7

1 Answers1

0

The Credential Report should be the right way to investigate this on the cloud end.

You can get the user to check what they have in ~/.aws/config and ~/.aws/credentials to confirm which credentials they're using.

It looks like this:

[profile_name]
aws_access_key_id = SHORTERSTRING
aws_secret_access_key = LONGERSTRINGGOESHEREWITHMORECHARS

Use the credential report to find out when the IAM user last used an access key. If it looks wrong, then you may need to dig in to CloudTrail logs to find out when/where the key is being used.

More gung-ho approach would be to go through revoking the access keys until someone yells at you :D

shearn89
  • 3,403
  • 2
  • 15
  • 39
  • Thanks, shearn89, I have an access key and secrete key, can you describe a bit about the procedure. – samtech 2021 Mar 01 '22 at 08:58
  • Done, hopefully that points you in the right direction! – shearn89 Mar 01 '22 at 09:15
  • Tried with cloud trail log and Athena queries but both showed output as no result. – samtech 2021 Mar 01 '22 at 11:13
  • shearn89 ,We'll be deleting that user but prior to doing that I wanted to see how she was using the account without it logging. – samtech 2021 Mar 01 '22 at 15:43
  • In the IAM Console, the Last activity is shown as Never for that particular user, but how is that user using the account without it logging then. What is your best advice on it? @shearn89. – samtech 2021 Mar 02 '22 at 07:00
  • Take a look at the link and generate a full report. Also take a look at cloudtrail logs for that user to see if you can see what authentication method they're using. – shearn89 Mar 02 '22 at 08:22
  • 1
    Is it possible that the user may still have access to an instance having a role that allows upload? – samtech 2021 Mar 02 '22 at 09:30
  • Yes, good point. If they have an SSH key those are not revoked from instances on user deletion. – shearn89 Mar 02 '22 at 09:34
  • For That particular user Console password, is disabled, Access keys is inactive and no SSH keys are attached also In Access Advisor shows Not accessed in the tracking period. user has the following policy attached 1. S3-listAllBuckets 2. LinkUpBucketWriteOnly 3. S3-Editors – samtech 2021 Mar 02 '22 at 09:53
  • ,I checked with The bucket policy attached to that user shown as "Access Bucket and objects not public" in s3. can you advise me on how to continue with the further investigation on this? – samtech 2021 Mar 02 '22 at 11:01
  • You should probably reach out to AWS Support for more info. – shearn89 Mar 02 '22 at 13:40