This event detects the creation of a new IAM Access key and the deletion of an existing access key.
Why this Event is Important
This event is very important from a security standpoint. Access keys are one of the most common means of authentication used in AWS. A leaked access key can give any attacker access to your environment. Also, whenever an account is compromised, the attacker wants to maintain and tries to elevate privileges by creating a new access key. A deleted access key can cause a loss of availability for a legitimate user/application.
Examine the details of the user who triggered the access key creation/deletion. Examining the user deeper could provide other details such as the source IP from where the user logged in. This would help to investigate if someone was trying to impersonate the user. Also, search for any new users created or EC-2 instances spun up to maintain persistence by the attacker.
Check that access key modification was done by a legitimate user/administrator. Limiting access key creation/deletion to only privileged users can reduce the exposure of this incident.