Multiple AWS IAM users deleted within a short period

ID:aws_iam_users_deleted

Data type:AWS CloudTrail

Severity:

Medium

Description

AlphaSOC detected that multiple AWS IAM users were deleted using the DeleteUser action within a short period of time. This API call permanently removes an IAM user from an AWS account and can indicate adversarial efforts to eliminate access for legitimate users.

Impact

A high frequency of AWS IAM user deletions may indicate an ongoing compromise, where threat actors lock out legitimate users, possibly to cause operational disruptions or delay incident response.

Severity

Severity	Condition
Medium	Multiple AWS IAM users deleted within a short period

Investigation and Remediation

Review AWS CloudTrail logs to identify the specific IAM user or role that performed these actions and verify whether they were performed by authorized personnel or systems. If unauthorized, revoke potentially compromised credentials and conduct a thorough security assessment of the AWS environment for other signs of compromise.

Description​

Impact​

Severity​

Investigation and Remediation​

Description

Impact

Severity

Investigation and Remediation