AWS_CAN_CREATE_ACCESS_KEY

Summary

Description

AWS_CAN_CREATE_ACCESS_KEY represents the ability to create long-term API credentials for an IAM user.

This edge is highly sensitive because an attacker can:

• Generate a new key pair for a privileged user.

• Authenticate via AWS CLI/SDK as that user.

• Maintain persistence through long-lived credentials if key governance is weak.

If a target user already has two keys (the IAM limit), this path is often chained with AWS_CAN_DELETE_ACCESS_KEY.

Identification

AWS CLI

Check permission simulation:

Review current keys on the target user:

AWS Console

• Open IAM -> Users -> select the target user.

• Open Security credentials tab.

• Under Access keys, verify whether the user already has 0, 1, or 2 active keys.

• To determine who can create access keys for this user, check the Permissions tab of potential source users/roles for the iam:CreateAccessKey permission.

Exploitation

AWS CLI

Create a key for the target user:

Use the returned AccessKeyId and SecretAccessKey with AWS CLI/SDK to act as that user.

Mitigation

• Restrict iam:CreateAccessKey to dedicated break-glass workflows.

• Prefer role-based temporary credentials (STS) over long-term user keys.

• Enforce key rotation and immediate revocation for unused credentials.

• Apply SCP and IAM guardrails that block user key creation where not required.

Detection

Monitor CloudTrail for access key creation:

• Event source: iam.amazonaws.com

• Event name: CreateAccessKey

Example lookup:

Investigate actor-target mismatches (caller creating key for a different user).

References

• https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateAccessKey.html

• https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAccessKeys.html

• https://docs.aws.amazon.com/general/latest/gr/iam-service.html

• https://cloud.hacktricks.wiki/en/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc/index.html