AWS API calls indicating disruption
Description
AlphaSOC detected the use of AWS APIs indicating disruption, including deleting or modifying critical resources such as AWS VPCs, security groups, routing tables, and configuration rules. This activity could indicate an attempt to disrupt cloud operations by destroying or tampering with data, potentially as part of an attack to compromise the AWS infrastructure.
Impact
Unauthorized use of AWS APIs can cause significant disruption, including extended downtime, data loss, or security breaches. It may result in the deletion of critical network components, removal of security controls, or the alteration of configurations, undermining the integrity, availability, and confidentiality of cloud services.
Severity
Severity | Condition |
---|---|
Informational | Unexpected action, ASN, User Agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Investigate the source and context of the API calls. Confirm if they were part of authorized changes. If unauthorized, revoke the credentials, review AWS CloudTrail logs, and assess the damage. Restore affected resources from backups if possible.
Known False Positives
- Authorized infrastructure changes during maintenance or upgrades
- Legitimate automated scripts or tools managing resources