Suspicious AWS API calls indicating modification of AWS Resource Access Manager
Description
AlphaSOC detected modifications to AWS Resource Access Manager (RAM) settings. AWS RAM enables users to share AWS resources across accounts, organizations, and organizational units. Threat actors may exploit these settings to manipulate resource sharing configurations, potentially granting unauthorized access to critical resources or expanding the attack surface.
Impact
Unauthorized modifications to AWS RAM settings may indicate an ongoing attack, with potential adversaries seeking to expand their access to the organization's AWS resources. Such changes could allow them to exfiltrate sensitive data, escalate privileges, or disrupt critical business operations.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Investigate the modified AWS RAM settings, including the affected resources and accounts involved in the sharing configuration. Review AWS CloudTrail logs to identify the IAM user or role responsible for the changes and verify whether they were authorized. If unauthorized, revert the AWS RAM settings to their previous state and rotate potentially compromised credentials.