Join Log in
Score:0
samtech 2021 avatar Server

AWS CLI Usage Issue

th flag
samtech 2021

In our scenario, We previously had some AWS keys. The IAM interface show/showed no usage for it but the employee has been able to upload resources. Could anyone advise how to check if the interface is just erring or if they were perhaps not using these credentials?

The ATHENA Queries I was tried

SELECT eventTime, eventName, userIdentity.principalId,eventSource
FROM athena-table
WHERE useridentity.accesskeyid like 'AKIAIOSFODNN7EXAMPLE'

SELECT *
FROM athena-table
WHERE useridentity.type = 'IAMUser'
AND useridentity.username LIKE 'Alice';

In the IAM Console Last activity is shown as Never.

We'll be deleting that user but prior to doing that I wanted to see how she was using the account without logging. Is there a better way to find out this?

62
0 + 0
cn flag
shearn89
Duplicate: https://security.stackexchange.com/questions/260028/aws-iam-access-issue
0
Reply
Score:0
avatar Server
cn flag
shearn89

The Credential Report should be the right way to investigate this on the cloud end.

You can get the user to check what they have in ~/.aws/config and ~/.aws/credentials to confirm which credentials they're using.

It looks like this:

[profile_name]
aws_access_key_id = SHORTERSTRING
aws_secret_access_key = LONGERSTRINGGOESHEREWITHMORECHARS

Use the credential report to find out when the IAM user last used an access key. If it looks wrong, then you may need to dig in to CloudTrail logs to find out when/where the key is being used.

More gung-ho approach would be to go through revoking the access keys until someone yells at you :D

0 + 0
samtech 2021 avatar
th flag
samtech 2021
Thanks, shearn89, I have an access key and secrete key, can you describe a bit about the procedure.
0
Reply
cn flag
shearn89
Done, hopefully that points you in the right direction!
0
Reply
samtech 2021 avatar
th flag
samtech 2021
Tried with cloud trail log and Athena queries but both showed output as no result.
0
Reply
samtech 2021 avatar
th flag
samtech 2021
shearn89 ,We'll be deleting that user but prior to doing that I wanted to see how she was using the account without it logging.
0
Reply
samtech 2021 avatar
th flag
samtech 2021
In the IAM Console, the Last activity is shown as Never for that particular user, but how is that user using the account without it logging then. What is your best advice on it? @shearn89.
0
Reply
cn flag
shearn89
Take a look at the link and generate a full report. Also take a look at cloudtrail logs for that user to see if you can see what authentication method they're using.
0
Reply
samtech 2021 avatar
th flag
samtech 2021
Is it possible that the user may still have access to an instance having a role that allows upload?
1
Reply
cn flag
shearn89
Yes, good point. If they have an SSH key those are not revoked from instances on user deletion.
0
Reply
samtech 2021 avatar
th flag
samtech 2021
For That particular user Console password, is disabled, Access keys is inactive and no SSH keys are attached also In Access Advisor shows Not accessed in the tracking period. user has the following policy attached 1. S3-listAllBuckets 2. LinkUpBucketWriteOnly 3. S3-Editors
0
Reply
samtech 2021 avatar
th flag
samtech 2021
,I checked with The bucket policy attached to that user shown as "Access Bucket and objects not public" in s3. can you advise me on how to continue with the further investigation on this?
0
Reply
cn flag
shearn89
You should probably reach out to AWS Support for more info.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.