AWS Glue enumeration
Description
AlphaSOC detected systematic enumeration of AWS Glue resources through API actions. This activity involves attempts to systematically gather information about Glue data catalogs, ETL jobs, crawlers, and database connections within the AWS account. Adversaries may query Glue services to map data integration jobs, workflows, and configurations that reveal the organization's data processing architecture and security controls.
Impact
Glue enumeration can allow threat actors to understand data pipeline configurations, database connections, and encryption settings. This information enables adversaries to identify vulnerabilities, locate sensitive data stores, and develop targeted attacks against the data infrastructure.
Severity
| Severity | Condition |
|---|---|
Low | AWS Glue enumeration |
Investigation and Remediation
Analyze CloudTrail logs to identify Glue API calls along with source IPs and IAM principals involved. Map the sequence and scope of the enumeration to determine potential data exposure. Implement strict IAM policies that limit Glue resource discovery, enable AWS GuardDuty monitoring, and configure CloudWatch alarms for unexpected API call patterns targeting Glue services.