Previously Disabled Token Has Been Reactivated
Description
Once a token is disabled, it should no longer be used for its original purpose. A reactivation of this token could be a security threat. It's important to be aware of this and take the necessary precautions to ensure that token activity is legitimate.

Detection triggers
-
"Disabled" token is switched to "Enabled".
-
Token wasn't "Enabled" in the recent 30 days.
-
The token must be currently enabled.
Mitigation
Review abnormal activity.
A previously disabled token becoming enabled again after a long time is considered an anomaly.
Review this activity by following these steps:
-
Review the "activity" tab to check its activity for the following behavior.
-
Is his new activity aligned with his previous one, or is it used to perform new actions.
-
Is the workload IP and client identical to its previous usage.
-
-
Investigate the actor's identity, to understand if it's legitimate and expected.
-
If legitimate, move this risk status to 'approved'.
-
Otherwise, consider revoking the token and investigating the actors.
-
JSON Example
Risk JSON
account: {environment: "qa", environmentType: "QA"}
accountId: "116849364939"
accountType: "AWS"
category: "ABNORMAL_BEHAVIOR"
correlationGuid: null
creationDate: "2024-09-29T13:38:44.463Z"
customData: null
customerId: 34
data: {awsLogs: [{tags: ["Human", "Browser"], eventId: "4fbb4d99-e9ad-420f-b4a8-49b7f850b669",…},…],…}
description: "Once a token is disabled, it should no longer be used for its original purpose. A reactivation of this token could be a security threat. It's important to be aware of this and take the necessary precautions to ensure that token activity is legitimate."
destination: "AWS_IAM_ACCESS_KEY"
guid: "RSK-8756"
hasComment: null
hasJiraTicket: null
hasSeen: false
hasSlackMessage: null
id: 42208
isArchived: false
key: "USER_REVIVED-TKN-203"
linkedElements: ["TKN-203"]
logChangeType: null
modifyDate: "2024-09-29T14:04:14.819Z"
name: "Previously disabled token has been reactivated"
occurrences: []
owner: "Sarahm"
ownerAiObject: {similarity: 0.975, ownerItemType: "email", elementItemType: "username",…}
ownerUid: "467e25ce-e0b8-4edf-bdc8-ec80a8448c1a"
path: "AKIARWNGDZ7FY5PO9YYC"
ruleCode: "TOKEN_DISABLED_TO_ENABLED"
scanId: 1921261
severity: "HIGH"
source: "AWS"
status: "OPEN"
tags: ["Abnormal Behavior", "qa_saya_aws_cf"]
tasks: [{customerId: 34, riskId: 42208, type: "REVIEW_ACTIVITY", level: "HARD",…},…]
type: "USER_REVIVED"
Linked Element (NHI Token) JSON
accessedDate: null
account: {environment: "qa", environmentType: "QA", accountType: "AWS", id: "116849364939"}
accountId: "116849364939"
accountType: "AWS"
awsPolicies: {policies: [], userUsage: null, tokenUsage: null, policiesUsage: {}, userExcessiveUsage: null,…}
azurePermissions: null
azureRoles: null
correlationGuid: "NTR-123021"
creationDate: "2024-04-02T12:09:35.000Z"
creator: {eventId: "b7d7fff1-db09-4a83-a199-f2da7c237f82", username: "Sarahm",…}
customerId: 34
devices: null
guid: "TKN-203"
infoJSON: "{\"serviceName\":\"N/A\",\"region\":\"N/A\",\"userArn\":\"arn:aws:iam::116849364939:user/sarah.qa.entro.security\"}"
isActive: false
isAdmin: false
isArchived: false
isIdle: false
isProd: false
lastAccessors: []
lastModifiers: []
lastOwnerAiUpdate: null
liminalCreationDate: "2024-05-15T14:20:42.547Z"
liminalModifyDate: "2024-10-29T11:38:54.392Z"
originAccessMethod: "AWS_IAM_ACCESS_KEY"
owner: "Sarahm"
ownerAiObject: {similarity: 0.975, ownerItemType: "email", elementItemType: "username",…}
ownerSource: null
ownerUid: "467e25ce-e0b8-4edf-bdc8-ec80a8448c1a"
riskSeverity: "CRITICAL"
rotationDate: "2024-04-02T12:09:35.000Z"
scanId: 2884527
serviceName: "N/A"
status: "Active"
tags: {tags: []}
tokenId: "AKIARWNGDZ7FY5PO9YYC"
tokenTotalAccess: 2
tokenTotalIp: 1
tokenTotalUserAgent: 1
uid: "f8186397-531e-4d51-ac08-04caa212c6d3"
userAgent: null
username: "Sarahm"