AWS API calls indicating evasion attempts on Amazon Macie
Description
AlphaSOC detected the use of AWS APIs indicating potential evasion attempts targeting Amazon Macie. This detection suggests that a threat actor may be attempting to bypass or disable Macie's protective features within the AWS environment. Disabling Macie's features, archiving results, modifying accounts or sessions, and updating classification jobs are analyzed to detect evasion attempts.
Impact
Successful evasion of Amazon Macie lead to compromised data classification capabilities, undetected sensitive data exposure, and potential regulatory violations. Organizations may face reduced security visibility, compliance failures, and financial penalties while losing critical data protection controls meant to safeguard sensitive information.
Severity
Severity | Condition |
---|---|
Low | Multiple Macie-related actions performed by the same entity |
Investigation and Remediation
Investigate the specific AWS APIs and actions used in the evasion attempt. Review Macie and AWS CloudTrail logs for suspicious activities. Identify the source of the API calls and determine if they were authorized. If unauthorized, immediately revoke the associated credentials and permissions.