AWS IAM group deleted
Description
AlphaSOC detected that an AWS IAM group was deleted using the DeleteGroup
action. This activity can result in privilege escalation for users previously
associated with the group, potentially allowing adversaries to gain unauthorized
access to sensitive resources.
Impact
Threat actors who compromise an AWS account may delete an associated AWS IAM group to escalate privileges and expand their access to AWS resources. This can lead to data exfiltration, data manipulation, ransomware attacks, and other malicious activities within the AWS environment.
Severity
| Severity | Condition |
|---|---|
Informational | AWS IAM group deleted |
Low | AWS IAM group deleted unexpectedly |
Investigation and Remediation
Review AWS CloudTrail logs to investigate the deletion of the AWS IAM group. Verify whether the action was authorized and performed by a legitimate user. If unauthorized, rotate any compromised credentials, recreate the deleted group, and assess the extent of potential damage.
Known False Positives
- Authorized administrators reorganizing AWS IAM groups and permissions