Skip to main content

Multiple denied AWS API calls requiring investigation

ID:aws_access_denied
Data type:AWS CloudTrail
Severity:
Low
MITRE ATT&CK:TA0007:T1580

Description

AlphaSOC detected multiple (5 or more) denied AWS API calls, which may indicate potentially malicious activity. This behavior indicates repeated attempts to perform unauthorized actions within the AWS environment.

Impact

Repeated denied API calls may indicate that a threat actor is attempting to enumerate or exploit AWS resources.

Severity

SeverityCondition
Low
Multiple denied AWS API calls requiring investigation

Investigation and Remediation

Investigate the source of the denied API calls by reviewing AWS CloudTrail logs. Identify the specific API actions attempted and the IAM user or role involved. If malicious activity is confirmed, monitor for any other suspicious activity in the environment.

Known False Positives

  • A newly deployed application attempting to access resources with incorrect IAM permissions.
  • Automated scripts or CI/CD pipelines using outdated or incorrect credentials
  • Users attempting to access resources after recent permission changes
  • Third-party tools or services integrated with AWS attempting actions beyond their intended scope