Suspicious AWS IAM user created with generic name
Description
AlphaSOC detected the creation of an AWS IAM user with a generic name (e.g.,
"user", "admin", "root") using the CreateUser action. Generic usernames
suggest poor naming conventions, which can cause confusion and hinder accurate
security logging. Additionally, such names may indicate a compromise, as threat
actors often use them to blend in with legitimate users and evade detection.
Impact
Generic AWS IAM usernames complicate accurate tracking of user activities. These accounts may be overlooked during security audits, increasing the risk of persistent unauthorized access.
Severity
| Severity | Condition |
|---|---|
Informational | AWS IAM user created with generic name |
Low | AWS IAM user created with generic name unexpectedly |
Medium | Suspicious AWS IAM user created with generic name |
Investigation and Remediation
Review AWS CloudTrail logs to identify who created the new AWS IAM user and verify whether the action was authorized. If unauthorized, rotate potentially compromised credentials and investigate the full scope of actions performed by this user for signs of a compromise.