Skip to main content

AWS SSO access token created

ID:aws_sso_access_token_created
Data type:AWS CloudTrail
Severity:
Informational
MITRE ATT&CK:TA0003:T1098

Description

AlphaSOC detected the creation of an AWS Single Sign-On (SSO) access token. AWS SSO tokens are used to authenticate users across multiple AWS services without requiring repeated logins. Adversaries may create AWS SSO tokens to maintain persistent access to systems and bypass authentication controls.

Impact

The unauthorized creation of AWS SSO tokens can enable prolonged, undetected access to multiple AWS services. Threat actors could exploit this access for data exfiltration, lateral movement, and further network compromise. A single compromised token can potentially grant broad access to an organization’s digital infrastructure.

Severity

SeverityCondition
Informational
AWS SSO access token created

Investigation and Remediation

Review AWS CloudTrail logs to investigate the token creation and determine whether it was authorized. In the case of a compromise, note that AWS SSO tokens cannot be directly revoked like traditional AWS IAM credentials. Instead, you should invalidate the token's access by managing related permissions. This can be achieved by updating or removing the AWS IAM policies associated with the token, effectively restricting its access to AWS resources.