Anomalous use of AWS APIs indicating reconnaissance
Description
AlphaSOC detected the use of AWS APIs suggesting reconnaissance activities. This indicates that an attacker may be gathering information about the target's AWS infrastructure. Reconnaissance is a critical phase in which adversaries research, identify, and select targets by probing for vulnerabilities or mapping the network.
Impact
Sensitive information about the cloud infrastructure may be used by threat actors to identify vulnerabilities, misconfigurations, or valuable targets within the environment. This knowledge can be used to plan more sophisticated attacks, potentially resulting in data breaches, resource hijacking, or service disruptions.
Severity
Severity | Condition |
---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review AWS CloudTrail logs to identify the specific APIs used, the calling entity, and the accessed resources. If the reconnaissance was unauthorized, revoke any credentials, review and tighten IAM policies, and monitor for further anomalous activity.
Known False Positives
- Automated scripts or tools used by the IT team for infrastructure management and monitoring
- Third-party cloud management or optimization tools legitimately querying AWS resources
- Security teams conducting authorized vulnerability assessments or penetration testing
- AWS's own internal processes performing routine checks or optimizations on the account