Suspicious activity

Exposed aws access key was used to add user to group

Platform(s)

Description

Orca detected that an exposed AWS access key was used to add user to group. This action may indicate of a presence of an unauthorized actor in the cloud environment, since the AWS credentials conducting the API call has been exposed and compromised. AWS proactively monitors popular code repository sites for exposed AWS Identity and Access Management (IAM) access keys. On detection of an exposed IAM access key, a policy named 'AWSExposedCredentialPolicy_DO_NOT_REMOVE' is assigned to the IAM user in order to notify on the leaked access key.