AWS API calls by a malicious account
Description
AlphaSOC detected AWS API activity originating from or involving an AWS account ID that is known to be associated with malicious activities. This may include cross-account role assumptions, resource sharing invitations, or direct API calls from the malicious account. Threat actors operate AWS accounts to launch attacks, serve malware, or act as staging points for cross-account compromise.
Impact
Interactions with a known malicious AWS account pose a significant risk of account compromise or data exposure. Cross-account assume-role requests from malicious accounts may indicate an attempt to gain unauthorized access to your AWS resources. Even seemingly innocuous cross-account resource sharing from a malicious source should be treated as a potential threat vector that requires immediate investigation.
Severity
| Severity | Condition |
|---|---|
High | Activity involving a known malicious AWS account |
Investigation and Remediation
Review the CloudTrail event to determine the nature of the interaction with the malicious account, including any cross-account role assumptions, resource policies, or sharing invitations. Revoke any resource-based policies or cross-account trust relationships that reference the malicious account. If a successful cross-account role assumption occurred, treat the environment as potentially compromised and investigate all actions performed under the assumed role. Report the malicious account to AWS Security.