Use of an AWS IAM role that was unused for a long period
Description
AlphaSOC detected the use of the AssumeRole action for an AWS IAM role that
had been inactive for an extended period. The AssumeRole action allows a user
or service to temporarily assume the permissions of a specified AWS IAM role.
Impact
The unexpected use of a long-dormant IAM role could indicate unauthorized activity within the AWS environment. Dormant roles are often associated with excessive or outdated permissions and may be exploited by threat actors to gain unauthorized access to sensitive data or manipulate AWS resources.
Severity
| Severity | Condition |
|---|---|
Medium | Use of an AWS IAM role that was unused for a long period |
High | Suspicious use of an AWS IAM role that was unused for a long period |
Investigation and Remediation
Review the AWS CloudTrail logs to identify activity associated with the dormant
AWS IAM role, including all actions performed after the AssumeRole API call.
Verify whether this action was authorized and if not, rotate potentially
compromised credentials and perform a security audit of the AWS environment for
other signs of compromise.