about

principles

High volumes of access denied errors from a specific identity
IAM user creation events from EC2 instances (where the role session name starts with i-)
Access denied errors that occurred when creating an IAM user, especially when the same IAM user name was attempted to be created across multiple environments
IAM user creation events from identities that had never created IAM users in the past
IAM user names with grammatical errors or slight deviations of a common word

[[infosec-compendiums|infosec-compendiums]]