AWS role assumed by an unknown external principal
Description
AlphaSOC detected that an AWS role was assumed by an unknown external principal
using actions such as AssumeRole, AssumeRoleWithSAML, or
AssumeRoleWithWebIdentity. These API calls allow an entity (IAM user, AWS
service, or application) to assume an AWS IAM role and potentially escalate
privileges.
Impact
This behavior indicates that a role within the AWS account was successfully assumed by an entity from outside the organization's AWS environment, or from an unknown or untrusted AWS account. Depending on the permissions associated with the assumed role, the external entity could potentially access sensitive data, modify resources, or perform unauthorized actions within the AWS environment.
Severity
| Severity | Condition |
|---|---|
Medium | AWS role assumed by an unknown external principal |
Investigation and Remediation
Review AWS CloudTrail logs to identify the principal, assumed role, and any subsequent actions taken. Verify whether the role assumption was authorized. If unauthorized, rotate potentially compromised credentials and review AWS IAM policies and role configurations to ensure they adhere to the principle of least privilege.