AWS API calls indicating Cost Explorer discovery
Description
AlphaSOC detected unexpected API calls related to AWS Cost Explorer discovery,
including actions such as GetCostAndUsage, GetCostAndUsageWithResources,
CreateExport, GetExport, GetTable, and ListExports. These API calls may
indicate an attempt by threat actors to gather information about AWS resource
usage and costs.
Impact
Unauthorized access to AWS Cost Explorer can provide adversaries with insights into an organization's AWS infrastructure, including resource allocation, usage patterns, and potential high-value targets. Threat actors could exploit this information to plan attacks or expose sensitive business details.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review AWS CloudTrail logs to identify the user responsible for the actions. Verify whether the actions were authorized. If unauthorized, revoke any compromised credentials and assess the extent of potential damage.