Skip to main content

AWS IAM login profile was created in an anomalous way

ID:aws_login_profile_created_anomaly
Data type:AWS CloudTrail
Severity:
Informational
-
Low
MITRE ATT&CK:TA0003:T1098

Description

AlphaSOC detected a successful creation of an AWS IAM login profile using the CreatedLoginProfile action, which sets a password for an IAM user and enables access to AWS services via the AWS Management Console. This activity may indicate attempts by threat actors to establish persistence within the AWS environment or to escalate privileges.

Impact

The unexpected creation of an IAM login profile may indicate that the account has already been compromised. Compromised credentials can grant unauthorized users control over cloud resources, allowing them to delete, modify, or steal critical data.

Severity

SeverityCondition
Informational
An AWS IAM login profile was created
Low
Unexpected action

Investigation and Remediation

Verify whether the creation of the login profile was authorized. Analyze AWS CloudTrail logs to determine the source of the action and investigate any unusual activity. If unauthorized access is suspected, disable the affected IAM user and rotate all access keys.

Known False Positives

  • Legitimate IAM login profile creation by authorized administrators
  • Automated processes for user onboarding or account provisioning
  • Authorized account management by managed service providers