AWS CloudShell file downloaded
Description
AlphaSOC detected a file download through AWS CloudShell using the
getFileDownloadUrls action, which generates pre-signed URLs for downloading
files from the browser-based shell environment.
Impact
Threat actors who gain unauthorized access to CloudShell can use this functionality to exfiltrate sensitive data, configuration files, or credentials stored within the CloudShell environment. This could lead to exposure of proprietary information, access keys, or infrastructure details that could facilitate lateral movement or further compromise of AWS resources.
Severity
| Severity | Condition |
|---|---|
Low | AWS CloudShell file downloaded |
Investigation and Remediation
Review AWS CloudTrail logs to identify which files were downloaded from CloudShell, along with the user involved. Verify whether the download was authorized. If unauthorized, immediately disable the compromised IAM user or role, examine the environment and all recent actions performed by this identity for additional context, and rotate any credentials that may have been exposed.