Use of an AWS IAM user that was unused for a long period
Description
AlphaSOC detected that an AWS IAM user account that was inactive for an extended period was unexpectedly used. This could indicate that a dormant account has been compromised. Threat actors often target unused accounts as they are less likely to be monitored closely.
Impact
The unexpected use of a long-dormant IAM user account may indicate unauthorized access to AWS resources, potentially leading to data breaches, resource misuse, or further compromise of the AWS environment.
Severity
| Severity | Condition |
|---|---|
Medium | Use of an AWS IAM user that was unused for a long period |
Investigation and Remediation
Review AWS CloudTrail logs to identify all actions performed by this user. Verify whether the use of the dormant account was authorized and if not, rotate potentially compromised credentials and perform a security audit of the AWS environment for other signs of compromise.