New AWS User
This alert occurs when Lacework detects the creation of a new AWS user.
Why this Alert is Important
As an AWS administrator, you want to know when a new AWS user is created to avoid unauthorized user creation. For example: an unauthorized user with full administrative privileges can be used to exfiltrate data, perform malicious actions or create persistent access into the cloud account.
Investigation
Consider the following steps:
- Examine who created the new user and confirm this is an expected action.
- Examine the scope of privileges granted to this new user.
Resolution
The following are resolutions that you can implement:
- Rotate and delete all AWS access keys.
- Rotate any potentially unauthorized IAM user credentials.
- Delete any unrecognized or unauthorized resources.
- Enable MFA.
- Avoid using the root user for day-to-day operations.
Related Information
https://aws.amazon.com/premiumsupport/knowledge-center/potential-account-compromise/