AWS Organization invite sent for another account to join the organization
Description
AlphaSOC detected the use of the InviteAccountToOrganization action to invite
another AWS account to join the organization. This activity may indicate a
potential compromise, where threat actors attempt to establish persistent access
to the AWS environment by adding unauthorized accounts.
Impact
Use of this action may enable threat actors to establish persistence mechanisms within the AWS environment, maintaining unauthorized access and facilitating further compromise of organizational resources.
Severity
| Severity | Condition |
|---|---|
Medium | AWS Organization invite sent for another account to join the organization |
Investigation and Remediation
Review AWS CloudTrail logs to identify the user who initiated the action and examine their recent activities. Verify whether this action was authorized. If unauthorized and the invitation was accepted, remove the account from the organization. Revoke any potentially compromised credentials and conduct a thorough security assessment of the AWS environment.