AWS root account assumed via temporary credentials
Description
AlphaSOC detected the use of temporary credentials to assume an AWS root account
using the AssumeRoot action. The root account has unrestricted access to all
AWS services and resources, making it a prime target for threat actors. Use of
the root account via temporary credentials is generally discouraged and may
indicate unauthorized access or a breach of security best practices.
Impact
Assuming the AWS root account grants complete control over the entire AWS infrastructure. A threat actor with root access can create, modify, or delete any resources, potentially leading to data breaches, service disruptions, or financial losses.
Severity
| Severity | Condition |
|---|---|
Low | AWS root account assumed via temporary credentials |
Medium | AWS root account unexpectedly assumed via temporary credentials |
Investigation and Remediation
Review AWS CloudTrail logs to identify the origin of the request and any subsequent actions taken. Verify whether the assume role action was authorized. If unauthorized, restrict access for the potentially compromised AWS IAM role or user, rotate the root account's access keys, and enable multi-factor authentication (MFA) if not already in place.