Unexpected AWS API calls indicating SSO access token creation
Description
AlphaSOC detected the creation of an AWS Single Sign-On (SSO) access token. AWS SSO tokens are used to authenticate users across multiple AWS services without requiring repeated logins. Adversaries may create AWS SSO tokens to maintain persistent access to systems and bypass authentication controls.
Impact
The unauthorized creation of AWS SSO tokens can enable prolonged, undetected access to multiple AWS services. Threat actors could exploit this access for data exfiltration, lateral movement, and further network compromise. A single compromised token can potentially grant broad access to an organization’s digital infrastructure.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent, or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review AWS CloudTrail logs to investigate the token creation and determine whether it was authorized. In the case of a compromise, note that AWS SSO tokens cannot be directly revoked like traditional AWS IAM credentials. Instead, you should invalidate the token's access by managing related permissions. This can be achieved by updating or removing the AWS IAM policies associated with the token, effectively restricting its access to AWS resources.