AWS Access Key

Unlocked

IAM access key that alerts on API usage

Type

Persistent

Detection

Instant

MITRE ATT&CK

PersistenceCredential AccessCollection

max 10 tokens

AWS Bedrock Key

Unlocked

Bedrock service-specific credentials that alert on AI/ML API usage

Type

Persistent

Detection

Instant

MITRE ATT&CK

PersistenceCredential Access

max 2 tokens

AWS Bedrock Bearer Token

Locked

AWS Bedrock bearer token

Type

Ephemeral

Detection

Instant

MITRE ATT&CK

Persistence

AWS DSQL Token

Locked

Ephemeral Aurora DSQL connection token (36 hours)

Type

Ephemeral

Detection

<1min

MITRE ATT&CK

PersistenceCredential AccessCollection

AWS ECR Token

Locked

Ephemeral container registry token (12 hours)

Type

Ephemeral

Detection

Instant

MITRE ATT&CK

PersistenceCollection

AWS Federation Token

Locked

Ephemeral federated session credentials (15min - 36hr)

Type

Ephemeral

Detection

Instant

MITRE ATT&CK

PersistenceDefense Evasion

AWS Presigned URL

Locked

Ephemeral S3 object access URL (up to 7 days)

Type

Ephemeral

Detection

Instant

MITRE ATT&CK

PersistenceCollectionExfiltration

AWS RDS MySQL User

Locked

MySQL user that alerts on connection attempts

Type

Persistent

Detection

<1min

MITRE ATT&CK

PersistenceCredential AccessCollection

AWS RDS Postgres User

Locked

PostgreSQL user that alerts on connection attempts

Type

Persistent

Detection

<1min

MITRE ATT&CK

PersistenceCredential AccessCollection

AWS S3 Bucket

Unlocked

S3 bucket that alerts on access

Type

Persistent

Detection

Instant

MITRE ATT&CK

DiscoveryReconnaissance

max 2 tokens

AWS Session Token

Locked

Ephemeral session credentials (15min - 36hr)

Type

Ephemeral

Detection

Instant

MITRE ATT&CK

PersistenceDefense EvasionCredential Access

AWS User Credential

Locked

IAM console login credentials that alert on sign-in

Type

Persistent

Detection

Instant

MITRE ATT&CK

PersistenceCredential Access

Azure Service Principal

Locked

Service principal that alerts on authentication

Type

Persistent

Detection

<1min

MITRE ATT&CK

PersistenceDefense EvasionCredential Access

CrowdStrike API Key

Locked

CrowdStrike API credentials that alert on usage

Type

Persistent

Detection

<5min

MITRE ATT&CK

PersistenceCredential AccessCollection

SSH Private Key

Unlocked

SSH key that alerts on authentication attempts

Type

Persistent

Detection

Instant

MITRE ATT&CK

Lateral MovementCredential AccessPersistence

max 20 tokens

Web Clone Token

Locked

Web resource that alerts on access from unexpected domains

Type

Persistent

Detection

Instant

MITRE ATT&CK

Resource DevelopmentInitial Access