Suspicious activity

Aws Role suspicious behavior: Permissive role anomaly with GuardDuty alert

Risk Level

Hazardous (3)



A suspicious rise in the overall activity of a role activity was found. In addition, there was an anomaly in source user-agent. The role was identified by Orca as a permissive role. Those findings might indicate on a malicious usage of the role permissions.
  • Recommended Mitigation

    It is recommended to review relevant CloudTrail events and principals that issued this API calls. In addition, the change in the user-agent field might help to understand the cause of the anomaly.