
Deleting a compromised AWS Access Key isn't sufficient - gauravphoenix
https://blog.redlock.io/aws-access-key-security-best-practices
======
for0one
"(The attacker) proceeds to create temporary security credentials using the
AWS (STS) Security Token Service. These credentials are valid for a period of
time ranging from 15 mins to 36 hours based on the parameters used when
requesting the tokens. In this example, the attacker uses 36 hours."

I don't use AWS often. Does AWS provide a way to receive notifications when
AWS STS commands are run? Or do some admins setup syslogging to capture these
events?

~~~
gauravphoenix
You can review the logs in the CloudTrail
[https://aws.amazon.com/cloudtrail/](https://aws.amazon.com/cloudtrail/)

