Skip to main content

Anomalous use of AWS APIs indicating reconnaissance

ID:aws_reconnaissance_anomaly
Data type:AWS CloudTrail
Severity:
Informational
-
Medium
MITRE ATT&CK:TA0007:T1580

Description

AlphaSOC detected the use of AWS APIs suggesting reconnaissance activities. This indicates that an attacker may be gathering information about the target's AWS infrastructure. Reconnaissance is a critical phase in which adversaries research, identify, and select targets by probing for vulnerabilities or mapping the network.

Impact

Sensitive information about the cloud infrastructure may be used by threat actors to identify vulnerabilities, misconfigurations, or valuable targets within the environment. This knowledge can be used to plan more sophisticated attacks, potentially resulting in data breaches, resource hijacking, or service disruptions.

Severity

SeverityCondition
Informational
Unexpected action, ASN, user agent or region
Low
Two unexpected properties at the same time
Medium
Three unexpected properties at the same time

Investigation and Remediation

Review AWS CloudTrail logs to identify the specific APIs used, the calling entity, and the accessed resources. If the reconnaissance was unauthorized, revoke any credentials, review and tighten IAM policies, and monitor for further anomalous activity.

Known False Positives

  • Automated scripts or tools used by the IT team for infrastructure management and monitoring
  • Third-party cloud management or optimization tools legitimately querying AWS resources
  • Security teams conducting authorized vulnerability assessments or penetration testing
  • AWS's own internal processes performing routine checks or optimizations on the account