Code Room
On-callHardoc-g146
Subject Suspicious accessLevel Senior–Staff~45 minCommon in Reliability & on-call interviewsIndustries Technology, Software development

Question

GuardDuty/CloudTrail anomaly fires: a low-privilege CI IAM role ('ci-deployer') performed iam:PutRolePolicy on itself adding administrator-equivalent permissions, then iam:CreateAccessKey for a different, dormant admin role, then started AssumeRole calls into prod accounts via your org. The CI role's only legit job is deploying to staging. The escalation calls came from an EC2 instance in your CI account, but at a time no CI job was scheduled. How do you triage, contain, and remediate this privilege escalation?

What a strong answer looks like

Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.

Diagram & narrate the incident
Loading whiteboard…
Run or narrate your approach, then ask the coach.