AWS IAM API Error Spike
This alert occurs when Lacework detects a sudden unexpected increase in the number of failed IAM API calls for an AWS account is detected.
Why this Alert is Important
This alert could indicate compromised accounts probing the environment or misconfigurations. This type of event is commonly observed in compromised accounts, where the attacker attempts to probe the environment to gain information about privileges, permission, and resources available to the compromised account.
Specifically, discovery activities from the attacker will result in a spike in the number of failed AWS IAM API calls. Time series analysis monitors the number of failed AWS IAM API calls over time for each role and/or account and detects anomalies.
Investigation
Examine the event history to understand the frequency of previous occurrences. This event may also be related to recent changes in an automation module or script.
Examine the request parameters and task being performed when the event was triggered. Is the event caused by an unsuccessful attempt to access objects, data, or secrets? This can be indicative of attempts at discovery, privilege escalation or lateral movement.
Investigate the user. Is this activity part of an expected workflow for the user context?
Consider the source IP address and geolocation of the user. Is the source EC2 IP address associated with an EC2 instance in one of your accounts? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?
Resolution
If activity is confirmed as suspicious or malicious, rotate and delete AWS IAM access keys.
Check to see if any unauthorized new users were created during this activity and remove these accounts and request password resets for other IAM users.
Investigate recent activity from accounts that logged in from the same source IP address or geolocation.
Evaluate enabling multi-factor authentication for users.