Multiple denied AWS API calls requiring investigation
Description
AlphaSOC detected multiple (5 or more) denied AWS API calls, which may indicate potentially malicious activity. This behavior indicates repeated attempts to perform unauthorized actions within the AWS environment.
Impact
Repeated denied API calls may indicate that a threat actor is attempting to enumerate or exploit AWS resources.
Severity
Severity | Condition |
---|---|
Low | Multiple denied AWS API calls requiring investigation |
Investigation and Remediation
Investigate the source of the denied API calls by reviewing AWS CloudTrail logs. Identify the specific API actions attempted and the IAM user or role involved. If malicious activity is confirmed, monitor for any other suspicious activity in the environment.
Known False Positives
- A newly deployed application attempting to access resources with incorrect IAM permissions.
- Automated scripts or CI/CD pipelines using outdated or incorrect credentials
- Users attempting to access resources after recent permission changes
- Third-party tools or services integrated with AWS attempting actions beyond their intended scope