AWS identity added to an admin group
Description
AlphaSOC detected that an AWS identity was successfully added to an admin group. This action may indicate an attempt by threat actors to elevate privileges, potentially leading to data breaches, resource manipulation, or further lateral movement within the AWS environment.
Impact
Adding an identity to an admin group expands the attack surface and increases the risk of compromise. An adversary with administrative access can create, modify or delete AWS resources, access sensitive data, and alter security settings.
Severity
Severity | Condition |
---|---|
Low | AWS identity added to an admin group |
Investigation and Remediation
Review AWS CloudTrail logs to verify whether this action was authorized. If unauthorized, remove the identity from the admin group, rotate the affected credentials, and conduct a thorough review of all actions performed by the compromised identity.
Known False Positives
- Legitimate new admin added to an admin group