AWS API calls indicating resource enumeration
Description
AlphaSOC detected the use of the ListResources action in AWS Resource
Explorer. This API call allows users to list and search for resources across
multiple AWS services and regions. Threat actors can exploit this functionality
to gather information about the AWS environment, identify potential targets, and
assess vulnerabilities within the infrastructure.
Impact
The use of the ListResources action may indicate an attempt by adversaries to
map out the AWS environment and gather intelligence on available resources. This
information can be used to plan further attacks or identify high-value targets
within the infrastructure.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review AWS CloudTrail logs to identify the IAM user or role responsible for this action. Verify whether the action was authorized. If unauthorized, revoke potentially compromised credentials and conduct a thorough security assessment of your AWS environment to identify and address other potential threats.