AWS Suspect External Access Granting

View all detections
AWS Suspect External Access Granting


  • A credential was observed enabling external access to AWS resources through an IAM role.

Possible Root Causes

  • An attacker may be creating a means of accessing data from a separate AWS account.
  • A sanctioned third-party security or IT service may be granted access to AWS resources in order to perform normal activities.

Business Impact

  • Once an adversary achieves persistent access, they’ve established the opportunity to stage subsequent phases of an attack.

Steps to Verify

  • Validate that the access is authorized, given the purpose and policies governing these resources.
  • If review indicates possible malicious actions or high-risk configuration, delete the created IAM role and disable credentials associated with this alert then perform a comprehensive investigation.