Unexpected AWS role assumed by an external principal
Description
AlphaSOC detected that an AWS role was assumed by a principal for the first time
using actions such as AssumeRole, AssumeRoleWithSAML, or
AssumeRoleWithWebIdentity. These API calls allow an entity (IAM user, AWS
service, or application) to assume an AWS IAM role and potentially escalate
privileges.
Impact
This activity may indicate unauthorized access to AWS resources through role-based permissions. Depending on the permissions associated with the assumed role, an unauthorized user could potentially access sensitive data, modify resources, or perform unauthorized actions within the AWS environment.
Severity
| Severity | Condition |
|---|---|
Low | Unexpected AWS role assumed by a principal |
Medium | Unexpected AWS role assumed by an external principal |
Investigation and Remediation
Review AWS CloudTrail logs to identify the principal, assumed role, and any subsequent actions taken. Verify whether the role assumption was authorized. If unauthorized, rotate potentially compromised credentials and review AWS IAM policies and role configurations to ensure they adhere to the principle of least privilege.