Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 26.1.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Alerts Reference

    Home FortiCNAPP Alerts Reference

    Access Key Deleted

    Access Key Deleted

    Note

    This alert is disabled by default. You still retain full visibility through the AWS CloudTrail log Identity and Access Management (IAM) Access Key Change. You can also re-enable the alert manually if needed.

    This alert occurs when Lacework FortiCNAPP detects the deletion of an existing access key.

    Why this alert is important

    Access keys are one of the most common means of authentication used in AWS. A leaked access key can give any attacker access to your environment. Also, whenever an account is compromised, the attacker wants to maintain and tries to elevate privileges by creating a new access key. A deleted access key can cause a loss of availability for a legitimate user/application.

    Investigation

    Examine the details of the user who triggered the access key creation/deletion. Examining the user deeper could provide other details such as the source IP from where the user logged in. This would help to investigate if someone was trying to impersonate the user. Also, search for any new users created or EC-2 instances spun up to maintain persistence by the attacker.

    Resolution

    Check that access key modification was done by a legitimate user/administrator. Limiting access key creation/ deletion to only privileged users can reduce the exposure of this incident.

    Related Information

    https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html

    Previous
    Next

    Access Key Deleted

    Access Key Deleted

    Note

    This alert is disabled by default. You still retain full visibility through the AWS CloudTrail log Identity and Access Management (IAM) Access Key Change. You can also re-enable the alert manually if needed.

    This alert occurs when Lacework FortiCNAPP detects the deletion of an existing access key.

    Why this alert is important

    Access keys are one of the most common means of authentication used in AWS. A leaked access key can give any attacker access to your environment. Also, whenever an account is compromised, the attacker wants to maintain and tries to elevate privileges by creating a new access key. A deleted access key can cause a loss of availability for a legitimate user/application.

    Investigation

    Examine the details of the user who triggered the access key creation/deletion. Examining the user deeper could provide other details such as the source IP from where the user logged in. This would help to investigate if someone was trying to impersonate the user. Also, search for any new users created or EC-2 instances spun up to maintain persistence by the attacker.

    Resolution

    Check that access key modification was done by a legitimate user/administrator. Limiting access key creation/ deletion to only privileged users can reduce the exposure of this incident.

    Related Information

    https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html

    Previous
    Next