New AWS API Invoked

This alert occurs when Lacework detects a user uses an AWS service API for the first time in this account and region. Though the service might have been used before, this instance represents the user's initial use of that specific API method in this account and region.

Why this alert is important

A change in behavior, such as using new APIs for the first time, may indicate a compromised account or malicious activity.

Why this might be just fine

The user or identity may have a legitimate reason for using a new API method.

Investigation

Use the steps below to investigate this alert:

1. Identify the API calls made to the service, focusing on sensitive ones involving credentials, persistence, or revealing information. Below are some potentially sensitive API calls:

   iam:CreateAccessKey iam:CreateLoginProfile iam:CreateServiceSpecificCredential iam:ResetServiceSpecificCredential iam:UpdateAccessKey rds-db:connect redshift:GetClusterCredentials

   sso:GetRoleCredentials sts:AssumeRole sts:AssumeRoleWithSaml sts:AssumeRoleWithWebIdentity sts:GetFederationToken sts:GetSessionToken

2. Validate the login's legitimacy by correlating logs with your identity provider's logs, using the principal ID from the Who section. Check if the login is from a corporate asset.

Resolution

The following are resolutions that you can implement:

• Delete or rotate AWS access keys associated with the user.
• Delete any console login profiles associated with the user.
• Delete any unrecognized or unauthorized resources that were created.
• Perform an analysis of any resources or data that was accessed.
• Enable MFA.