Skip to main content

New AWS User

This alert occurs when Lacework detects a new IAM user or role using an AWS account for the first time to perform actions within AWS that are logged through AWS CloudTrail. These actions can be executed through the API or the AWS console.

Why this alert is important

Identities are pivotal for access control in the cloud. Attackers may create accounts to retain access and evade detection. Our anomaly detection policy tracks new user creations and detects initial usage of newly created accounts, enabling proactive identification of potential security risks.

Why this might be just fine

As your organization continues to hire and onboard new personnel, creating new users will be a regular occurrence. It is normal to expect this alert to be triggered when new individuals join the organization and utilize the AWS cloud to fulfill their job responsibilities.

Investigation

Investigating this alert requires completing two major steps:

  1. Review the Alert Details to gather basic information about the event.

    • Why: Verify if the user in question is authorized to have access to the account.
    • When: Determine if the activity occurred during regular business hours and if it aligns with the user's typical location and working hours.
    • Who: Take note of the principal ID and check if MFA (multi-factor authentication) was enabled for this user.
    • What: Assess whether the user is accessing services and APIs that are typically associated with their role.
    • Where: Identify the AWS regions the user is accessing and be cautious of unusual region usage as it may be an attempt to evade detection. Verify if the IP address used for the requests aligns with the expected country and city from which the user would normally access.

  2. Identify any additional operations performed by the new user.

    • Click the IAM user or role name mentioned in the What section. This action will filter the CloudTrail dossier to show only the activities associated with the user in question, enabling a focused analysis of the user's actions within the account during the past few hours.
    • If there is further evidence of suspicious activity indicating tactics such as discovery, enumeration, defense evasion, or exfiltration, it is crucial to initiate immediate remediation measures.

Resolution

The following are resolutions that you can implement:

  • Delete or rotate AWS access keys associated with the user.
  • Delete any console login profiles associated with the user.
  • Delete any unrecognized or unauthorized resources that were created.
  • Perform an analysis of any resources or data that was accessed.
  • Enable MFA.