Anomalous use of AWS APIs indicating change of AWS IAM user password
Description
AlphaSOC detected that an Identity and Access Management (IAM) user password was changed. This activity could indicate an attempt by threat actors to establish and maintain persistence within the environment. Threat actors may frequently rotate passwords to bypass password duration policies and preserve the life of compromised credentials.
Impact
An unexpected password change may indicate that the account has already been compromised. Compromised credentials can grant unauthorized users control over cloud resources, allowing them to delete, modify, or steal critical data.
Severity
Severity | Condition |
---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Verify whether the password change was initiated by the account owner. If unauthorized access is suspected, review CloudTrail logs for unusual activities, such as the creation of new access keys, changes to permissions, or other unexpected actions. Disable the affected account and revoke all associated access keys and programmatic permissions. Enforce multi-factor authentication (MFA) on all accounts to strengthen security and reduce the risk of future unauthorized access.
Known False Positives
- Routine password changes by users
- Automated password resets triggered by password expiration policies
- Password changes performed by IT administrators during account maintenance or troubleshooting
- Initial password setup