Potential AWS Defense Evasion
This alert occurs when Lacework detects activities associated with the Evasion of Defenses within AWS; for example, an API used to evade defensive measures was invoked anomalously.
Why this Alert is Important
Attackers often use defense evasion tactics when trying to cover their tracks and avoid attentions. If this activity is unexpected, your credentials may be compromised.
Investigation
The following are common ways that attackers may seek to avoid defenses in a cloud environment:
- Avoiding detection via redundant access
- Reverting cloud instances to a previous state
- Establishing a presence in unused/unsupported cloud regions
- Continuing to leverage valid accounts
Resolution
Follow these recommended steps to remediate compromised credentials in your AWS environment:
- Identify the affected IAM entity and the API call used.
- Review permissions for the IAM entity.
- Determine whether the IAM entity credentials were used legitimately.