Skip to main content

Anomalous use of AWS APIs indicating change of AWS IAM user password

ID:aws_password_changed_anomaly
Data type:AWS CloudTrail
Severity:
Informational
-
Medium
MITRE ATT&CK:TA0003:T1098

Description

AlphaSOC detected that an Identity and Access Management (IAM) user password was changed. This activity could indicate an attempt by threat actors to establish and maintain persistence within the environment. Threat actors may frequently rotate passwords to bypass password duration policies and preserve the life of compromised credentials.

Impact

An unexpected password change may indicate that the account has already been compromised. Compromised credentials can grant unauthorized users control over cloud resources, allowing them to delete, modify, or steal critical data.

Severity

SeverityCondition
Informational
Unexpected action, ASN, user agent or region
Low
Two unexpected properties at the same time
Medium
Three unexpected properties at the same time

Investigation and Remediation

Verify whether the password change was initiated by the account owner. If unauthorized access is suspected, review CloudTrail logs for unusual activities, such as the creation of new access keys, changes to permissions, or other unexpected actions. Disable the affected account and revoke all associated access keys and programmatic permissions. Enforce multi-factor authentication (MFA) on all accounts to strengthen security and reduce the risk of future unauthorized access.

Known False Positives

  • Routine password changes by users
  • Automated password resets triggered by password expiration policies
  • Password changes performed by IT administrators during account maintenance or troubleshooting
  • Initial password setup