New AWS Account
This alert occurs when Lacework detects the creation of a new AWS account.
Why this Alert is Important
Since only AWS management accounts can create new AWS accounts in the organization, an unauthorized AWS account creation indicates your AWS management account is possibly compromised.
Investigation
Conduct an AWS security audit, including:
- Review your AWS account credentials.
- Review your IAM users.
- Review your IAM groups.
- Review your IAM roles.
- Review your IAM providers for SAML and OpenID Connect (OIDC).
- If you have created a mobile app that makes requests to AWS, review your mobile apps.
- Review your Amazon EC2 security configuration.
- Review AWS policies in other services.
Check the AWS Management Console for any unusual new resources or a resource in a new AWS region.
Resolution
The following are resolutions that you can implement:
- Delete relevant access keys and IAM users.
- Delete any unrecognized or unauthorized resources.
- If your AWS management account is compromised, immediately reach out to AWS support.
- Once you have regained control of your AWS account, implement best practices for managing your organization's AWS accounts.
Related Information
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts.html https://docs.aws.amazon.com/organizations/latest/userguide/best-practices_member-acct.html