AWS IAM user profile created without password reset
Description
AlphaSOC detected that an AWS IAM user profile was created using the
CreateLoginProfile action, which did not require a password reset. This
activity could indicate an attempt to gain unauthorized access to AWS resources.
Adversaries may create new accounts to establish initial access to a system. It
is a recommended practice to require a password reset when creating AWS IAM user
accounts.
Impact
The creation of an AWS IAM user profile without a password reset can result in unauthorized access to AWS resources, potentially leading to data breaches, resource misuse, and financial losses. Threat actors may use this account to escalate privileges, carry out malicious activities, or create additional backdoors, compromising the organization’s security posture.
Severity
| Severity | Condition |
|---|---|
Low | AWS IAM user profile created without password reset |
Investigation and Remediation
Investigate the circumstances surrounding the creation of this AWS IAM user profile and verify whether it was a legitimate action performed by authorized personnel. If unauthorized, disable the account, reset its credentials, and review all actions performed by this user. Analyze AWS CloudTrail logs to identify suspicious activity related to this account and determine whether other accounts or resources have been compromised.