AWS role assumed by an external principal with an unexpected user agent
Description
AlphaSOC detected that an AWS role was assumed by an external principal using
the AssumeRole action with an unexpected user agent. This API call allows an
entity (IAM user, AWS service, or application) to assume an AWS IAM role and
potentially escalate privileges.
Impact
This behavior indicates that a role within the AWS account was successfully assumed by an entity from outside the organization's AWS environment, or from an unknown or untrusted AWS account. The use of an unfamiliar user agent in this context is suspicious and may indicate unauthorized access. Depending on the permissions associated with the assumed role, the external entity could potentially access sensitive data, modify resources, or perform unauthorized actions within the AWS environment.
Severity
| Severity | Condition |
|---|---|
Low | AWS role assumed by an external principal with an unexpected user agent |
Investigation and Remediation
Review AWS CloudTrail logs to identify the principal, assumed role, and any subsequent actions taken. Verify whether the role assumption was authorized. If unauthorized, rotate potentially compromised credentials and review AWS IAM policies and role configurations to ensure they adhere to the principle of least privilege.