AWS API calls indicating AWS API Gateway keys access
Description
AlphaSOC detected that AWS API Gateway keys were accessed using GetApiKey or
GetApiKeys actions. These API calls retrieve information about a specific API
key or a collection of API keys. Threat actors may use them to gather
information about existing API keys, potentially in preparation for an attack.
Impact
Use of these actions may indicate reconnaissance by threat actors seeking to identify and exploit vulnerabilities in API Gateway configurations. This could potentially allow them to bypass authentication mechanisms and gain access to sensitive data or services protected by these keys.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review AWS CloudTrail logs to identify the user or role that performed the action and verify whether it was authorized. If unauthorized, rotate any potentially compromised credentials and API keys, and conduct a thorough security assessment of the AWS environment for other signs of compromise.