Suspicious activity

Anomaly detection: Reconnaissance activity by a permissive role

Risk Level

Hazardous (3)



Unlike in the past, the role started executing API calls for listing and describing assets in the cloud account. The role was assumed by an identity from external cloud account. The role was identified by Orca as a permissive role, which in case of compromise can put the cloud account at a higher risk. Therefor those findings might indicate on a malicious usage of the role permissions.
  • Recommended Mitigation

    It is recommended to review the relevant CloudTrail events and principals that issued this API calls.