Suspicious use of AWS APIs indicating privilege escalation
Description
AlphaSOC detected AWS API calls indicating potential privilege escalation activities. In AWS Identity and Access Management (IAM), users operate under specific roles, groups, and policies that control their access to resources. Threat actors commonly exploit IAM vulnerabilities or misconfigurations to elevate their privileges and gain unauthorized access to sensitive assets.
Impact
Threat actors with elevated privileges can access sensitive data, modify or delete critical resources, launch new instances for malicious activities, and chain escalations to gain administrative control over the organization.
Severity
Severity | Condition |
---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Investigate the associated API calls and identify the associated user or role. If unauthorized escalation is confirmed, take immediate action by revoking compromised credentials, resetting affected user passwords, and rotating any exposed access keys. Conduct a thorough impact assessment to identify all resources that may have been accessed or modified during the incident.
Known False Positives
- Administrative activities requiring temporary privilege elevation
- CI/CD pipelines using role assumption for authorized tasks
- Applications attempting to access resources due to misconfiguration
- Security or DevOps teams conducting authorized tests
- AWS service-linked roles automatically assuming required permissions