AWS IAM entity created unexpectedly
Description
AlphaSOC detected a creation of an AWS Identity and Access Management (IAM) entity in an unusual manner. This event could indicate unauthorized access or potential compromise of AWS credentials. Threat actors can create new IAM entities (users, roles, or groups) to maintain persistence, escalate privileges, or evade detection within the AWS environment. Entities created by AWS services and attachment of policies to existing entities are exempt from the detection to avoid false positives.
Impact
The creation of unauthorized IAM entities can have significant consequences for cloud security. Threat actors can use these entities to gain long-term access to AWS resources, perform unauthorized actions, access sensitive data, or launch further attacks within the environment. Such actions can bypass normal administrative procedures and security controls.
Severity
Severity | Condition |
---|---|
Low | IAM entity created by a client IP within unexpected ASN or region, accompanied by an unexpected action |
Investigation and Remediation
Investigate the newly created IAM entity by reviewing its permissions, creation time, and creator's identity. Check for any unusual patterns or deviations from standard procedures. If the entity is determined to be unauthorized, immediately revoke its permissions and delete it. Review AWS CloudTrail logs to identify any actions performed by this entity and assess potential impact.