AWS Suspect Credential Access from SSM
Detection overview
Triggers
- Credential was observed performing a set of API requests to list and then retrieve parameters within the AWS parameter store.
Possible Root Causes
- An attacker may be actively looking for privilege escalation opportunities.
- A security or IT service may intentionally be enumerating these APIs for monitoring or configuration management reasons.
Business Impact
- Stolen credentials allow an adversary to leverage authorized services and APIs to extend their attack which can be difficult for traditional security solutions to detect. • Abused credentials are typically associated with impactful attacks, and if unmitigated may increase the likelihood that an adversary may inflict a loss of data or service availability.
Steps to Verify
- Investigate the account context that performed the action for other signs of malicious activity.
- Validate that parameters requested do not contain sensitive details, such as credentials. If they do, investigate those credentials for potential malicious use.
- If review indicates possible malicious actions or high-risk configuration, revert configuration and disable credentials associated with this alert then perform a comprehensive investigation.
AWS Suspect Credential Access from SSM
Possible root causes
Malicious Detection
Benign Detection
AWS Suspect Credential Access from SSM
Example scenarios
AWS Suspect Credential Access from SSM
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
AWS Suspect Credential Access from SSM
Steps to investigate
AWS Suspect Credential Access from SSM
Related detections
No items found.