Skip to main content

AWS IAM login profile was anomalously modified by a different identity than the owner

ID:aws_login_profile_modified_anomaly
Data type:AWS CloudTrail
Severity:
Informational
-
Low
MITRE ATT&CK:TA0003:T1098

Description

AlphaSOC detected a successful modification of an AWS IAM login profile using UpdateLoginProfile action by an identity different from the profile owner. Adversaries can modify IAM user login profiles to maintain persistence, escalate privileges, or impersonate legitimate users within the AWS environment.

Impact

Unauthorized password changes to IAM login profiles may indicate that the system has already been compromised. Compromised credentials can grant unauthorized users control over cloud resources, allowing them to delete, modify, or steal critical data.

Severity

SeverityCondition
Informational
AWS IAM login profile was modified by a different identity than the owner
Low
Unexpected action used

Investigation and Remediation

Investigate the specific IAM user account and the identity that performed the modification. If the modification is unauthorized, reset the affected IAM user's credentials, revoke active sessions, and enable multi-factor authentication (MFA) if not already in place. Analyze AWS CloudTrail logs to determine the source of the action and investigate any unusual activity since the modification.

Known False Positives

  • Authorized administrators modifying IAM profiles as part of routine account management
  • Automated scripts or tools used for legitimate IAM user management
  • IAM users modifying their own profiles through delegated permissions