Skip to main content

Multiple AWS API calls executed in dry run mode

ID:aws_dry_run
Data type:AWS CloudTrail
Severity:
Low
-
Medium
MITRE ATT&CK:TA0007:T1580

Description

AlphaSOC detected a high volume (10 or more) of AWS API calls executed in dry run mode. This behavior may indicate reconnaissance, where a threat actor tests resources and permissions without making actual changes.

Impact

Dry run API calls are often used to map out the AWS environment and identify vulnerabilities, potentially providing insight for privilege escalation or exploitation. This could lead to unauthorized access, data breaches, resource manipulation, or other malicious activity within the AWS infrastructure.

Severity

SeverityCondition
Low
Multiple AWS API calls executed in dry run mode
Medium
Multiple AWS API calls from an unexpected ASN, user agent or region

Investigation and Remediation

Analyze AWS CloudTrail logs to determine the source and intent of the API calls. Verify whether the activity originates from authorized users or systems. If unauthorized, revoke any compromised credentials, update IAM policies, and enable multi-factor authentication (MFA).

Known False Positives

  • Security tools or scanners performing authorized security assessments
  • Users validating configurations, conducting training, or testing in sandboxed environments