AWS region was enabled or disabled
Description
AlphaSOC detected the use of the EnableRegion or DisableRegion actions
indicating modification in AWS regions. Threat actors may enable regions to
expand their area of operations or disable regions to evade detection and
complicate incident response efforts.
Impact
Enabling previously unused regions may expose new attack surfaces, while disabling active regions could disrupt operations and hinder the ability to monitor and respond to security incidents. This could lead to further compromise of the environment, data loss, or financial costs to the organization.
Severity
| Severity | Condition |
|---|---|
Medium | AWS region was enabled or disabled |
Investigation and Remediation
Investigate the AWS CloudTrail logs to identify the user or role that performed the region modification. Verify if this action was authorized. If unauthorized, revoke any potentially compromised credentials, perform a security audit of the AWS environment for other signs of compromise, and revert the changes made.