Suspicious activity

Anomaly detection: Permissive role with unusual amount of access denied responses.

Risk Level

Hazardous (3)



Unlike in the past, the role executed API calls which resulted in an unusual amount of access denied responses. The API calls were made with an unusual user agent. The role was identified by Orca as a permissive role, which in case of compromise can put the cloud account at a higher risk. Therefor those findings might indicate on a malicious usage of the role permissions.
  • Recommended Mitigation

    It is recommended to review the relevant CloudTrail events and principals that issued this API calls. In addition, the change in the user-agent field might help to understand the cause of the anomaly.