Unsuccessful AWS IAM password change attempt
Description
AlphaSOC detected an unsuccessful attempt to change an AWS IAM user password
using the ChangePassword or UpdateLoginProfile actions. This activity may
indicate an ongoing attack, with adversaries trying to guess the current
password.
Impact
Unauthorized use of these actions may suggest an attempt by threat actors to obtain targeted AWS IAM user credentials. If successful, an adversary could take control of the account and gain unauthorized access to AWS resources. This could lead to data breaches, resource misuse, or further lateral movement within the AWS environment.
Severity
| Severity | Condition |
|---|---|
Low | Unsuccessful AWS IAM password change attempt |
Investigation and Remediation
Review AWS CloudTrail logs to investigate the source of this action, including the IP address, user agent, AWS region, and the associated user account. Verify whether it was authorized. If unauthorized, rotate potentially compromised credentials, investigate the incident, and ensure multi-factor authentication (MFA) is enforced for all AWS IAM users.