Skip to main content

AWS account was created in an anomalous way

ID:aws_account_created_anomaly
Data type:AWS CloudTrail
Severity:
Informational
-
Low
MITRE ATT&CK:TA0003:T1098

Description

AlphaSOC detected the creation of a new AWS account. This activity may indicate an attempt by threat actors to establish persistence, bypass security controls, and deploy infrastructure for malicious purposes. Adversaries commonly create or manipulate AWS accounts to maintain long-term access and evade detection.

Impact

An unexpected AWS account creation may indicate system compromise. Threat actors can use these accounts to launch further attacks, exfiltrate data, or host malicious infrastructure (e.g., S3 buckets, EC2 instances).

Severity

SeverityCondition
Informational
An AWS account was created
Low
An AWS account was created from an unexpected ASN or user agent

Investigation and Remediation

Verify whether the account creation was authorized. Analyze AWS CloudTrail logs to determine the source of the action and investigate any unusual activity. If unauthorized access is suspected, disable the affected account and revoke all associated access keys and programmatic permissions.

Known False Positives

  • Legitimate creation of AWS accounts for new projects, workloads, or resource isolation
  • Automated accounts created as part of approved infrastructure-as-code (IaC) deployments
  • Temporary accounts created for testing or development purposes