AWS API calls indicating discovery using AWS Tagging API
Description
AlphaSOC detected the discovery of AWS resources using the AWS Resource Groups
Tagging API, indicated by the use of the DescribeTags action. AWS Tagging API
allows users to query and discover AWS resources based on their tags. Threat
actors may leverage this to enumerate and map AWS resources within the
environment, often as part of reconnaissance before the attack.
Impact
Unauthorized use of the DescribeTags action can provide adversaries with
valuable information about the structure of AWS resources, which can be used to
identify high-value targets, understand the environment's layout, and plan
further attacks. It may lead to exploitation of vulnerabilities or
misconfigurations in the AWS infrastructure.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Investigate the origin of the API calls, including the AWS IAM user or role that performed the action. Review the context of the API usage and determine if the actions were authorized. If unauthorized, revoke the relevant permissions, rotate affected credentials, and analyze logs for other malicious activity.