New AWS User

This alert occurs when Lacework detects the creation of a new AWS user.

Why this Alert is Important

As an AWS administrator, you want to know when a new AWS user is created to avoid unauthorized user creation. For example: an unauthorized user with full administrative privileges can be used to exfiltrate data, perform malicious actions or create persistent access into the cloud account.

Investigation

Consider the following steps:

Examine who created the new user and confirm this is an expected action.
Examine the scope of privileges granted to this new user.

Resolution

The following are resolutions that you can implement:

Rotate and delete all AWS access keys.
Rotate any potentially unauthorized IAM user credentials.
Delete any unrecognized or unauthorized resources.
Enable MFA.
Avoid using the root user for day-to-day operations.

https://aws.amazon.com/premiumsupport/knowledge-center/potential-account-compromise/

Why this Alert is Important​

Investigation​

Resolution​

Related Information​

Why this Alert is Important

Investigation

Resolution

Related Information