Multiple AWS IAM users deleted within a short period
Description
AlphaSOC detected that multiple AWS IAM users were deleted using the
DeleteUser action within a short period of time. This API call permanently
removes an IAM user from an AWS account and can indicate adversarial efforts to
eliminate access for legitimate users.
Impact
A high frequency of AWS IAM user deletions may indicate an ongoing compromise, where threat actors lock out legitimate users, possibly to cause operational disruptions or delay incident response.
Severity
| Severity | Condition |
|---|---|
Medium | Multiple AWS IAM users deleted within a short period |
Investigation and Remediation�
Review AWS CloudTrail logs to identify the specific IAM user or role that performed these actions and verify whether they were performed by authorized personnel or systems. If unauthorized, revoke potentially compromised credentials and conduct a thorough security assessment of the AWS environment for other signs of compromise.