Skip to main content

New AWS User

This alert occurs when Lacework detects the creation of a new AWS user.

Why this Alert is Important

As an AWS administrator, you want to know when a new AWS user is created to avoid unauthorized user creation. For example: an unauthorized user with full administrative privileges can be used to exfiltrate data, perform malicious actions or create persistent access into the cloud account.

Investigation

Consider the following steps:

  • Examine who created the new user and confirm this is an expected action.
  • Examine the scope of privileges granted to this new user.

Resolution

The following are resolutions that you can implement:

  • Rotate and delete all AWS access keys.
  • Rotate any potentially unauthorized IAM user credentials.
  • Delete any unrecognized or unauthorized resources.
  • Enable MFA.
  • Avoid using the root user for day-to-day operations.

https://aws.amazon.com/premiumsupport/knowledge-center/potential-account-compromise/