AWS_HAS_ACCESS_KEY
Summary
FSProtect ACL Alias
AWS_HAS_ACCESS_KEY
Edge Type
Relationship
Affected Object Types
IAM Users, Access Keys
Exploitation Certainty
Unlikely
AWS IAM Action / Condition
Relationship visibility via iam:ListAccessKeys; key usage context via iam:GetAccessKeyLastUsed
Description
AWS_HAS_ACCESS_KEY represents that an IAM user has one or more API access keys.
This edge is a credential-surface relationship, not a direct exploit primitive. Its security relevance is high for exposure and persistence analysis because long-term access keys can be abused if:
The key is leaked.
The key remains active for too long.
Monitoring and rotation controls are weak.
This edge often supports risk analysis together with AWS_CAN_CREATE_ACCESS_KEY and AWS_CAN_DELETE_ACCESS_KEY.
Identification
AWS CLI
List keys for one user:
Get last-used context for a key:
Enumerate all users with keys:
AWS Console
Open IAM -> Users -> select user.
Open Security credentials.
Review access key IDs, status, and age.
Exploitation
There is no direct exploit path for this edge by itself.
AWS_HAS_ACCESS_KEY indicates a credential exists; exploitability depends on whether the credential is compromised or can be replaced/managed by an attacker.
Mitigation
Remove unused access keys and disable inactive keys quickly.
Enforce rotation and key age thresholds.
Prefer temporary credentials from roles instead of long-term user keys.
Alert on old active keys and high-risk usage locations.
Detection
Monitor CloudTrail for lifecycle events:
CreateAccessKeyUpdateAccessKeyDeleteAccessKey
Track anomalous API usage by key ID and compare with known baseline behavior.
References
Last updated
Was this helpful?