AWS SSO access token created
Description
AlphaSOC detected the creation of an AWS Single Sign-On (SSO) access token. AWS SSO tokens are used to authenticate users across multiple AWS services without requiring repeated logins. Adversaries may create AWS SSO tokens to maintain persistent access to systems and bypass authentication controls.
Impact
The unauthorized creation of AWS SSO tokens can enable prolonged, undetected access to multiple AWS services. Threat actors could exploit this access for data exfiltration, lateral movement, and further network compromise. A single compromised token can potentially grant broad access to an organization’s digital infrastructure.
Severity
Severity | Condition |
---|---|
Informational | AWS SSO access token created |
Investigation and Remediation
Review AWS CloudTrail logs to investigate the token creation and determine whether it was authorized. In the case of a compromise, note that AWS SSO tokens cannot be directly revoked like traditional AWS IAM credentials. Instead, you should invalidate the token's access by managing related permissions. This can be achieved by updating or removing the AWS IAM policies associated with the token, effectively restricting its access to AWS resources.