AWS Inspector enumeration
Description
AlphaSOC detected systematic enumeration of AWS Inspector resources through API actions. This activity involves attempts to systematically gather information about Inspector assessment targets, assessment templates, findings, and rules packages within the AWS account. Adversaries may query Inspector configurations to understand security assessment settings, vulnerability findings, and evaluation templates used to assess AWS workloads.
Impact
Inspector enumeration reveals security assessment coverage, vulnerability scanning patterns, and compliance evaluation methods. Adversaries may use this information to identify security gaps, understand detection capabilities, and develop methods to avoid security controls.
Severity
| Severity | Condition |
|---|---|
Low | AWS Inspector enumeration |
Investigation and Remediation
Review CloudTrail logs to identify Inspector API calls along with source IP addresses, user agents, and IAM principals. Analyze enumeration patterns and the scope of accessed resources to determine potential exposure. Implement least-privilege IAM policies that restrict Inspector resource access. Enable AWS GuardDuty monitoring and configure CloudWatch alarms for unexpected Inspector API activity patterns.