Suspicious activity

Anomaly detection: Permissive role increased reconnaissance activity and unusual services accessed

Risk Level

Informational (4)



Unlike in the past, the role started executing API calls for listing and describing assets in the cloud account. In addition to that the role accessed unusual services in the cloud account. The role was identified by Orca as a permissive role, which in case of compromise can put the cloud account at a higher risk. Therefor those findings might indicate on a malicious usage of the role permissions.
  • Recommended Mitigation

    It is recommended to review the relevant CloudTrail events and principals that issued this API calls.