Skip to main content

AWS identity added to an admin group

ID:aws_identity_added_to_admin_group
Data type:AWS CloudTrail
Severity:
Low
MITRE ATT&CK:TA0004:T1484

Description

AlphaSOC detected that an AWS identity was successfully added to an admin group. This action may indicate an attempt by threat actors to elevate privileges, potentially leading to data breaches, resource manipulation, or further lateral movement within the AWS environment.

Impact

Adding an identity to an admin group expands the attack surface and increases the risk of compromise. An adversary with administrative access can create, modify or delete AWS resources, access sensitive data, and alter security settings.

Severity

SeverityCondition
Low
AWS identity added to an admin group

Investigation and Remediation

Review AWS CloudTrail logs to verify whether this action was authorized. If unauthorized, remove the identity from the admin group, rotate the affected credentials, and conduct a thorough review of all actions performed by the compromised identity.

Known False Positives

  • Legitimate new admin added to an admin group