Skip to content

Previously Inactive Token Is Now Active Again

Eco-system support

  • AWS IAM Access token

  • Azure app registration token

Description

When a token that has been inactive for a period of time becomes active again, it could potentially pose a security threat to your organization.

It's important to be aware of this and take the necessary precautions to ensure that token activity is legitimate.

Detection Triggers

  • Inactive (idle) token status is switched to “active” (used).

  • Token is becoming Idle after not being used for X days- 30 by default, however, this configuration of “Idle” can be set on Liminal’s risks settings.

  • The token must be enabled.

Mitigation

Inactive tokens becoming active again after a long time is considered an anomaly.

Review this activity by following these steps:

  1. Review the “activity” tab to check its activity for the following behavior.

    • Is his new activity aligned with his previous one, or is it used to perform new actions?

    • Is the workload IP and client identical to its previous usage?

  2. Investigate the actor’s identity, to understand if it’s legitimate and expected.

    • If legitimate, move this risk status to 'approved'.

    • Otherwise, consider revoking the token and investigating the actors.