Score:0

AWS CLI Usage Issue

th flag

In our scenario, We previously had some AWS keys. The IAM interface show/showed no usage for it but the employee has been able to upload resources. Could anyone advise how to check if the interface is just erring or if they were perhaps not using these credentials?

The ATHENA Queries I was tried

SELECT eventTime, eventName, userIdentity.principalId,eventSource
FROM athena-table
WHERE useridentity.accesskeyid like 'AKIAIOSFODNN7EXAMPLE'

SELECT *
FROM athena-table
WHERE useridentity.type = 'IAMUser'
AND useridentity.username LIKE 'Alice';

In the IAM Console Last activity is shown as Never.

We'll be deleting that user but prior to doing that I wanted to see how she was using the account without logging. Is there a better way to find out this?

cn flag
Duplicate: https://security.stackexchange.com/questions/260028/aws-iam-access-issue
Score:0
cn flag

The Credential Report should be the right way to investigate this on the cloud end.

You can get the user to check what they have in ~/.aws/config and ~/.aws/credentials to confirm which credentials they're using.

It looks like this:

[profile_name]
aws_access_key_id = SHORTERSTRING
aws_secret_access_key = LONGERSTRINGGOESHEREWITHMORECHARS

Use the credential report to find out when the IAM user last used an access key. If it looks wrong, then you may need to dig in to CloudTrail logs to find out when/where the key is being used.

More gung-ho approach would be to go through revoking the access keys until someone yells at you :D

samtech 2021 avatar
th flag
Thanks, shearn89, I have an access key and secrete key, can you describe a bit about the procedure.
cn flag
Done, hopefully that points you in the right direction!
samtech 2021 avatar
th flag
Tried with cloud trail log and Athena queries but both showed output as no result.
samtech 2021 avatar
th flag
shearn89 ,We'll be deleting that user but prior to doing that I wanted to see how she was using the account without it logging.
samtech 2021 avatar
th flag
In the IAM Console, the Last activity is shown as Never for that particular user, but how is that user using the account without it logging then. What is your best advice on it? @shearn89.
cn flag
Take a look at the link and generate a full report. Also take a look at cloudtrail logs for that user to see if you can see what authentication method they're using.
samtech 2021 avatar
th flag
Is it possible that the user may still have access to an instance having a role that allows upload?
cn flag
Yes, good point. If they have an SSH key those are not revoked from instances on user deletion.
samtech 2021 avatar
th flag
For That particular user Console password, is disabled, Access keys is inactive and no SSH keys are attached also In Access Advisor shows Not accessed in the tracking period. user has the following policy attached 1. S3-listAllBuckets 2. LinkUpBucketWriteOnly 3. S3-Editors
samtech 2021 avatar
th flag
,I checked with The bucket policy attached to that user shown as "Access Bucket and objects not public" in s3. can you advise me on how to continue with the further investigation on this?
cn flag
You should probably reach out to AWS Support for more info.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.