Unsuccessful attempt to assume AWS root account
Description
AlphaSOC detected an unsuccessful attempt to assume the AWS root account using
the AssumeRoot action. The root account has unrestricted access to all AWS
services and resources, making it a prime target for threat actors. A failed
AssumeRoot action may indicate a malicious but unsuccessful effort to gain root
access, potentially signaling unauthorized activity within the AWS environment.
Impact
Assuming the AWS root account grants complete control over the entire AWS infrastructure. A threat actor with root access can create, modify, or delete any resources, potentially leading to data breaches, service disruptions, or financial losses.
Severity
| Severity | Condition |
|---|---|
Low | Unsuccessful attempt to assume AWS root account |
Medium | Unsuccessful and unexpected attempt to assume AWS root account |
Investigation and Remediation
Review AWS CloudTrail logs to identify the origin of the request, including IP
address, user agent, and any associated AWS IAM users or roles. Verify whether
the AssumeRoot action was authorized. If unauthorized, restrict access for the
potentially compromised AWS IAM role or user and enable multi-factor
authentication (MFA) if not already in place.