AWS IAM login profile was modified by a different identity than the owner
Description
AlphaSOC detected a successful modification of an AWS IAM login profile using UpdateLoginProfile action by an identity different from the profile owner. Adversaries can modify IAM user login profiles to maintain persistence, escalate privileges, or impersonate legitimate users within the AWS environment.
Impact
Unauthorized password changes to IAM login profiles may indicate that the system has already been compromised. Compromised credentials can grant unauthorized users control over cloud resources, allowing them to delete, modify, or steal critical data.
Severity
Severity | Condition |
---|---|
Informational | AWS IAM login profile was modified by a different identity than the owner |
Low | Unexpected action used |
Investigation and Remediation
Investigate the specific IAM user account and the identity that performed the modification. If the modification is unauthorized, reset the affected IAM user's credentials, revoke active sessions, and enable multi-factor authentication (MFA) if not already in place. Analyze AWS CloudTrail logs to determine the source of the action and investigate any unusual activity since the modification.
Known False Positives
- Authorized administrators modifying IAM profiles as part of routine account management
- Automated scripts or tools used for legitimate IAM user management
- IAM users modifying their own profiles through delegated permissions