Skip to main content

AWS API calls indicating disruption

ID:aws_disruption
Data type:AWS CloudTrail
Severity:
Informational
-
Medium
MITRE ATT&CK:TA0040:T1531

Description

AlphaSOC detected the use of AWS APIs indicating disruption, including deleting or modifying critical resources such as AWS VPCs, security groups, routing tables, and configuration rules. This activity could indicate an attempt to disrupt cloud operations by destroying or tampering with data, potentially as part of an attack to compromise the AWS infrastructure.

Impact

Unauthorized use of AWS APIs can cause significant disruption, including extended downtime, data loss, or security breaches. It may result in the deletion of critical network components, removal of security controls, or the alteration of configurations, undermining the integrity, availability, and confidentiality of cloud services.

Severity

SeverityCondition
Informational
Unexpected action, ASN, User Agent or region
Low
Two unexpected properties at the same time
Medium
Three unexpected properties at the same time

Investigation and Remediation

Investigate the source and context of the API calls. Confirm if they were part of authorized changes. If unauthorized, revoke the credentials, review AWS CloudTrail logs, and assess the damage. Restore affected resources from backups if possible.

Known False Positives

  • Authorized infrastructure changes during maintenance or upgrades
  • Legitimate automated scripts or tools managing resources