New Cross-Account Access Made From External AWS Account
This alert occurs when Lacework detects an external AWS account's identity has made API calls to your account, and this behavior is newly detected.
Why this alert is important
When an identity from another AWS account makes API calls to your account, it means there's cross-account access. The permissions given to the cross-account role will determine how much access they have to your account. This could include data exfiltration, resource manipulation, and other potential impacts.
Cross-account in AWS refers to granting access to resources or services in one AWS account for identities (IAM users or roles) from another AWS account. This is done through IAM roles and trust relationships between the two accounts, enabling secure and controlled sharing of resources between AWS accounts.
Why might this be just fine?
Cross-account access is a common IAM design pattern used to manage multiple accounts or grant secure AWS resource access to partners and third parties. Lacework utilizes this pattern for reading CloudTrail logs and performing configuration checks as part of our AWS integrations.
Investigation
During the investigation of this alert, consider the following questions:
- What is the calling account ID, and does it belong to your organization?
- Which APIs were called as part of this alert?
- Who is the principal ID of the identity from the calling account?
- Where and what is the cross-account role that enabled this behavior?
- Who created this role and for what purpose?
- Do this role and its permissions follow the principle of least privilege?
- Which IAM groups have access to this role?
Resolution
The following are resolutions that you can implement:
- Delete or rotate AWS access keys associated with the user.
- Delete any console login profiles associated with the user.
- Delete any unrecognized or unauthorized resources that were created.
- Perform an analysis of any resources or data that was accessed.
- Enable MFA.