AWS account was created in an anomalous way
Description
AlphaSOC detected the creation of a new AWS account. This activity may indicate an attempt by threat actors to establish persistence, bypass security controls, and deploy infrastructure for malicious purposes. Adversaries commonly create or manipulate AWS accounts to maintain long-term access and evade detection.
Impact
An unexpected AWS account creation may indicate system compromise. Threat actors can use these accounts to launch further attacks, exfiltrate data, or host malicious infrastructure (e.g., S3 buckets, EC2 instances).
Severity
Severity | Condition |
---|---|
Informational | An AWS account was created |
Low | An AWS account was created from an unexpected ASN or user agent |
Investigation and Remediation
Verify whether the account creation was authorized. Analyze AWS CloudTrail logs to determine the source of the action and investigate any unusual activity. If unauthorized access is suspected, disable the affected account and revoke all associated access keys and programmatic permissions.
Known False Positives
- Legitimate creation of AWS accounts for new projects, workloads, or resource isolation
- Automated accounts created as part of approved infrastructure-as-code (IaC) deployments
- Temporary accounts created for testing or development purposes