AWS IAM login profile was created
Description
AlphaSOC detected a successful creation of an AWS IAM login profile using the CreatedLoginProfile action, which sets a password for an IAM user and enables access to AWS services via the AWS Management Console. This activity may indicate attempts by threat actors to establish persistence within the AWS environment or to escalate privileges.
Impact
The unexpected creation of an IAM login profile may indicate that the account has already been compromised. Compromised credentials can grant unauthorized users control over cloud resources, allowing them to delete, modify, or steal critical data.
Severity
Severity | Condition |
---|---|
Informational | An AWS IAM login profile was created |
Low | Unexpected action |
Investigation and Remediation
Verify whether the creation of the login profile was authorized. Analyze AWS CloudTrail logs to determine the source of the action and investigate any unusual activity. If unauthorized access is suspected, disable the affected IAM user and rotate all access keys.
Known False Positives
- Legitimate IAM login profile creation by authorized administrators
- Automated processes for user onboarding or account provisioning
- Authorized account management by managed service providers