Suspicious AWS API call with account access key
Description
AlphaSOC detected unexpected AWS API calls containing account access keys. This indicates potential exposure or unauthorized use of AWS access keys that provide access to AWS services and resources.
Impact
Exposed AWS access keys allow threat actors to make unauthorized API calls, access sensitive data, and compromise cloud infrastructure. Adversaries can use these keys to create new resources, exfiltrate data, or establish persistence in the AWS environment.
Severity
| Severity | Condition |
|---|---|
Low | Unexpected ASN accompanied by unexpected action, region, or user agent |
Medium | At least three unexpected properties at the same time |
Investigation and Remediation
Review AWS CloudTrail logs to identify the source IP, user agent, and API calls made with the exposed key. Analyze the key usage pattern and compare it with existing activity patterns. If unauthorized use is confirmed, immediately deactivate the access key, rotate any similarly configured keys, and revoke permissions granted to the compromised credentials.