- Credential was observed performing a set of API requests capable of disabling native AWS security measures.
Possible Root Causes
- Attackers are attempting to disable or downgrade AWS security mechanisms to blind defenders or to enable further malicious activities without the risk of detection.
- A security or IT service may intentionally be disabling security tools while troubleshooting problems.
- Attackers who have successfully degraded, disabled, or bypassed security controls can more easily progress towards their objectives.
- Unintentional disabling of security controls increases the potential impact of both present and future attacks against the organization.
Steps to Verify
- Review if this configuration is expected and appropriate in light of any available compensating controls.
- If this is a temporary configuration for troubleshooting purposes, confirm it has been reenabled once that troubleshooting is complete.