AWS API calls indicating Organizations discovery
Description
AlphaSOC detected unexpected API calls indicating Organizations discovery activities. AWS Organizations is a service that allows users to combine multiple AWS accounts into one organization for centralized management. This finding may indicate an attempt to gather information about the AWS Organizations structure, which includes details about accounts, organizational units, and policies. Actions initiated by AWS services are exempt from the detection to avoid false positives.
Impact
Successful Organizations discovery can provide threat actors with valuable insight into the structure and scope of an organization's AWS environment. This information can be used to identify high-value targets, understand security perimeters, and plan more sophisticated attacks. It can lead to unauthorized access, privilege escalation, or data exfiltration across multiple AWS accounts within the organization.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Investigate the source of the API calls, including the IAM user or role that performed the actions. Review CloudTrail logs to understand the full scope of discovery activities. If unauthorized, revoke the access immediately and rotate any compromised credentials. Analyze other activities from the same source to identify potential malicious actions.