AWS decoy resource accessed
Description
AlphaSOC detected that potential AWS decoy resources (honeypots), set up on AWS S3 buckets, AWS IAM, AWS DynamoDB, or AWS Secrets Manager, were accessed. This activity may indicate an adversary actively probing or attempting to exploit the organization's AWS infrastructure.
Impact
Honeypots are systems intentionally designed to attract and trap potential threat actors. They are used to detect and deflect breaches. Access to these decoy resources may indicate an ongoing compromise, where threat actors are conducting reconnaissance or attempting to exploit vulnerabilities within the AWS environment.
Severity
| Severity | Condition |
|---|---|
Low | AWS decoy resource accessed |
Investigation and Remediation
Review AWS CloudTrail logs to identify the specific AWS IAM user or role who accessed the decoy resources. Investigate for potential reconnaissance or exploitation attempts. If any malicious activity is detected, rotate all potentially compromised credentials and review recent account activity for signs of compromise.