AWS access key created for a newly registered IAM user
Description
AlphaSOC detected the creation of an access key for a newly created AWS IAM
user. The CreateUser action, followed shortly after by CreateAccessKey, may
indicate an attempt by threat actors to establish persistent access to the AWS
environment.
Impact
This activity could serve as an early indicator of a larger attack. Creating a new AWS IAM user with an associated access key can enable long-term access to AWS resources, potentially allowing unauthorized users to view, modify, or delete sensitive data, launch new resources, or misuse AWS services for malicious purposes.
Severity
| Severity | Condition |
|---|---|
Low | AWS access key created for a newly registered IAM user |
Investigation and Remediation
Evaluate the permissions assigned to the new user and the associated AWS IAM policies. Review AWS CloudTrail logs to identify the source of these API calls, including the IP address, user agent, AWS region, and any subsequent actions performed by the new user. Verify whether these actions were authorized. If unauthorized, delete the user and revoke any associated access keys.