Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1470: Analytic 1470

Cloud API usage to create/import SSH keys or generate new access keys (CreateAccessKey, ImportKeyPair, CreateLoginProfile) from non-console access or unusual principals.

EnterpriseAN1470AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about watching IaaS cloud API activity that creates or imports credentials or login material, such as SSH key pairs, access keys, or login profiles, especially when it happens through non-console access or by unusual principals. For leaders, the practical issue is control over who can create durable cloud access. If these events are not logged, reviewed, and governed, an organization may have weak evidence for investigating unexpected cloud access or proving that privileged credential creation is controlled.

Executive priority

Prioritize this as an identity and cloud governance question: who is allowed to create access keys, import SSH keys, or create login profiles, and can the organization prove when it happened and by whom? This matters for incident response readiness, privileged access oversight, audit evidence, and cloud resilience because these actions can change how users or workloads authenticate into IaaS environments. Budget and control decisions should focus on cloud audit logging, identity policy review, and alert triage processes for unusual credential-creation activity.

Technical view

SOC and cloud security teams should validate visibility into the named API actions in the official description: CreateAccessKey, ImportKeyPair, and CreateLoginProfile. Since ATT&CK does not provide a detection implementation or tactic mapping for this analytic, teams should build local logic around non-console API usage, unusual principals, unexpected source context, and deviations from approved administrative workflows. IR teams should ensure investigations can connect the API event to the principal, session context, source network, target account or project, and resulting key or login artifact.

Likely telemetry

  • IaaS cloud API audit logs containing CreateAccessKey, ImportKeyPair, and CreateLoginProfile events
  • Principal identity details, including user, role, service account, or assumed identity where available
  • Access path indicators distinguishing console from non-console/API access where available
  • Source IP address, user agent, session, and authentication context associated with the API call
  • Cloud identity and permission policy data showing which principals are allowed to perform these actions

Detection direction

  • Confirm that cloud audit logging is enabled and retained for the relevant IaaS accounts or projects where these API actions can occur.
  • Create review or alert logic for credential-creation actions by unusual principals, non-console access, or activity outside approved administrative patterns.
  • Tune detections against known automation and provisioning workflows to reduce false positives, while requiring ownership and change context for recurring key creation or import activity.
  • Correlate events with identity changes, permission grants, and recent administrative sessions to determine whether the principal had an expected reason to create access material.
  • Document blind spots where API logs are incomplete, short-retained, not centralized, or lack session/source context needed for investigation.

Mitigation priorities

  • Limit permissions for CreateAccessKey, ImportKeyPair, and CreateLoginProfile to approved administrative roles or controlled automation.
  • Require documented change or provisioning workflows for creation or import of cloud access material.
  • Review existing principals that can perform these actions and remove unnecessary privileges.
  • Maintain inventory and ownership for generated access keys, imported SSH key pairs, and login profiles.
  • Ensure incident response playbooks include validation, containment, and revocation steps for unauthorized or unexplained cloud access material.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for IaaS cloud environments. It provides a concise behavior description but no official detection logic, no tactic mapping, and no relationship context. The most useful defensive value is therefore in validating whether the organization can observe and govern the specified API actions and distinguish expected administrative automation from unusual credential-creation behavior.

This take is limited to the supplied STIX fields and external reference. It does not assert active exploitation, adversary attribution, impact, or existing detection coverage. Local cloud provider configuration, identity model, logging depth, and approved automation patterns are required to turn this into reliable alerting or audit evidence.

Official MITRE ATT&CK definition

Analytic 1470

Cloud API usage to create/import SSH keys or generate new access keys (CreateAccessKey, ImportKeyPair, CreateLoginProfile) from non-console access or unusual principals.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
c55dd87d7ad315c2...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle c55dd87d7ad3…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1470
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use