Skip to content
Threat Feed

Product

AWS Identity and Access Management (IAM)

5 briefs RSS
high threat

AWS IAM CompromisedKeyQuarantine Policy Attachment

Detection of the AWS `CompromisedKeyQuarantine` policy being attached to an IAM user, indicating that AWS has flagged the user's credentials as compromised or publicly exposed, and is providing instructions via a support case for remediation.

AWS Identity and Access Management AWS credential-access cloud
2r 2t
medium advisory

AWS KMS Key User Performing S3 Encryption Detection

Detection of AWS users utilizing KMS keys to perform encryption operations on S3 buckets, indicating potential misuse or malicious activity within the cloud environment.

AWS Key Management Service +3 cloud aws kms s3 encryption
2r 1t
low advisory

AWS IAM API Calls via Temporary Session Tokens

Detection of AWS IAM API operations using temporary session credentials, indicating potential credential theft, session hijacking, or privileged role abuse for persistence and defense evasion.

AWS Identity and Access Management +2 cloud aws iam session-token persistence privilege-escalation
3r 2t
low advisory

AWS IAM Group Creation for Persistence

An adversary with compromised IAM write privileges creates a new group in AWS IAM and grants it excessive permissions to establish a persistence mechanism.

AWS Identity and Access Management aws iam persistence cloud
2r 1t
medium advisory

AWS Management Console Root Login Detected

Detection of a successful AWS Management Console login by the Root user, which is an original identity with unrestricted privileges, indicates a potential security breach requiring immediate investigation.

AWS Management Console +2 cloud aws initial-access
2r 2t