Triggers
- A credential was observed enabling external access to AWS resources through an IAM role.
Possible Root Causes
- An attacker may be creating a means of accessing data from a separate AWS account.
- A sanctioned third-party security or IT service may be granted access to AWS resources in order to perform normal activities.
Business Impact
- Once an adversary achieves persistent access, they’ve established the opportunity to stage subsequent phases of an attack.
Steps to Verify
- Validate that the access is authorized, given the purpose and policies governing these resources.
- If review indicates possible malicious actions or high-risk configuration, delete the created IAM role and disable credentials associated with this alert then perform a comprehensive investigation.