AWS IAM user created with admin policy attached
Description
AlphaSOC detected the creation of an AWS IAM user with administrative privileges
using the CreateUser or AttachUserPolicy actions. This activity may suggest
a potential compromise, where a threat actor creates a new IAM user with full
access to the organization's AWS resources and services.
Impact
The creation of an AWS IAM user with an attached admin policy could potentially allow a threat actor to perform any operation within the AWS environment, including creating, modifying, or deleting resources and accessing sensitive data.
Severity
| Severity | Condition |
|---|---|
Medium | AWS IAM user created with admin policy attached |
Investigation and Remediation
Review the newly created AWS IAM user, its associated permissions, and all of the actions performed by this user. Verify whether the creation was authorized. If unauthorized, delete the user, rotate any potentially compromised credentials, and perform a security audit of the AWS environment for other signs of compromise.