A source AWS account modifies the login profile of a target account, following which the target account accesses the AWS console.
Possible Root Causes
An attacker is enabling access to the console for credentials they have access to, to further their attack.
An administrator has enabled console access for another user within the environment.
Business Impact
Lateral movement may indicate that an adversary has established a foothold in the environment and is progressing towards their objective, increasing the risk of material impact.
Steps to Verify
Investigate the account context that performed the action for other signs of malicious activity.
Validate that any modifications are authorized, given the purpose and policies governing this resource.
If review indicates possible malicious actions or high-risk configuration, revert configuration and disable credentials associated with this alert then perform a comprehensive investigation.
AWS Suspect Login Profile Manipulation
Possible root causes
Malicious Detection
Benign Detection
AWS Suspect Login Profile Manipulation
Example scenarios
AWS Suspect Login Profile Manipulation
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Our interactive demo provides a deep dive into the advanced capabilities of our cybersecurity platform, showcasing real-time detection, comprehensive analysis, and proactive threat mitigation.
Don't just read about the possibilities – experience them.