Suspicious activity

Anomaly detection: Permissive role with unusual amount of access denied responses.

Risk Level

Hazardous (3)



Unlike in the past, the role executed API calls, and an unusual amount resulted in an access denied. The API calls were made from an unusual user agent. The role was identified by Orca as a permissive role, which in case of compromise can put the cloud account at a higher risk. Therefor those findings might indicate on a malicious usage of the role permissions.
  • Recommended Mitigation

    It is recommended to review the relevant CloudTrail events and principals that issued this API calls. In addition, the change in the user-agent field might help to understand the cause of the anomaly.