AWS Suspect Credential Access from SSM

View all detections
AWS Suspect Credential Access from SSM

Triggers

  • Credential was observed performing a set of API requests to list and then retrieve parameters within the AWS parameter store.

Possible Root Causes

  • An attacker may be actively looking for privilege escalation opportunities.
  • A security or IT service may intentionally be enumerating these APIs for monitoring or configuration management reasons.

Business Impact

  • Stolen credentials allow an adversary to leverage authorized services and APIs to extend their attack which can be difficult for traditional security solutions to detect. • Abused credentials are typically associated with impactful attacks, and if unmitigated may increase the likelihood that an adversary may inflict a loss of data or service availability.

Steps to Verify

  • Investigate the account context that performed the action for other signs of malicious activity.
  • Validate that parameters requested do not contain sensitive details, such as credentials. If they do, investigate those credentials for potential malicious use.
  • If review indicates possible malicious actions or high-risk configuration, revert configuration and disable credentials associated with this alert then perform a comprehensive investigation.