0

We previously had some AWS keys. The IAM interface show/showed no usage for it but the employee has been able to upload resources. Could anyone advise how to check if the interface is just erring or if they were perhaps not using these credentials?

The ATHENA Queries i was tried

SELECT eventTime, eventName, userIdentity.principalId,eventSource
FROM athena-table
WHERE useridentity.accesskeyid like 'AKIAIOSFODNN7EXAMPLE'

SELECT *
FROM athena-table
WHERE useridentity.type = 'IAMUser'
AND useridentity.username LIKE 'Alice';

After investigating the credential report and when I dig into CloudTrail logs to find out when/where the key is being used I’m not getting so much help with the Last activity of user output

In the IAM Console, the Last activity is shown as Never for that particular user, but how is that user using the account without logging then. What is your best advice on it?

We'll be deleting that user but prior to doing that I wanted to see how she was using the account without logging in. Is there a better way to find out this?

samtech 2021
  • 1
  • 1
  • Can you give the AWS resource name what you are mentioning? Also, put the resource permission policy. – user2352577L Mar 02 '22 at 09:47
  • @user2352577L For That particular user Console password is disabled, Access keys is inactive and no SSH keys are attached also In Access Advisor shows Not accessed in the tracking period. user has following policy Attached from group 1. S3-listAllBuckets 2. LinkUpBucketWriteOnly 3. S3-Editors policy Attached directly 1.LimitedVideoResources 2.IAMUserChangePassword – samtech 2021 Mar 02 '22 at 09:53
  • Did your bucket allow public access? also, i think you should give a try to do whitelisting for the S3 bucket, which means you need to put deny policy for all and put exceptions in the same policy. Again, you better put the permission policy in your question. you can edit it. – user2352577L Mar 02 '22 at 18:11
  • I checked with The bucket policy attached to that user shown as "Access Bucket and objects not public" in s3. can you advise me on how to continue with the further investigation on this? – samtech 2021 Mar 03 '22 at 08:29
  • Is it possible that the user may still have access to an instance having a role that allows upload? in the term whitelisting for the S3 bucket can you describe it a bit? – samtech 2021 Mar 03 '22 at 08:32

0 Answers0