Unexpected AWS API calls indicating IP set modification
Description
AlphaSOC detected unexpected API calls such as CreateIPSet (AWS WAFV2 or AWS
GuardDuty) or UpdateIPSet (AWS WAFV2), indicating AWS IPSet creation or
modification. Unauthorized AWS IPSet modifications may signal attempts to
manipulate security controls.
Impact
Threat actors may exploit these changes to bypass AWS WAF rules, allowing previously blocked traffic or disabling monitoring for specific IP ranges. This can lead to further system compromise, lateral movement within the cloud environment, and potential service disruption.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review AWS CloudTrail logs to identify the AWS IAM user or role responsible for the API calls. Verify whether the changes were authorized and part of a business process. If unauthorized, revert the AWS IPSet modifications to their previous state and rotate all potentially compromised credentials.
Known False Positives
- Administrators making authorized changes to AWS IPSets as part of routine maintenance or security updates