AWS API calls indicating creation of AWS REST API
Description
AlphaSOC detected that an AWS REST API was created using the CreateRestApi
action. Threat actors may leverage this action to establish persistence, create
backdoors, or set up malicious infrastructure within the AWS environment.
Impact
Unauthorized creation of an AWS REST API in Amazon API Gateway may indicate that threat actors have gained initial access to the AWS account and are attempting to maintain persistence, exfiltrate sensitive data, escalate privileges, or disrupt services.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Investigate the newly created AWS REST API by reviewing its configuration,
associated AWS IAM users or roles, and any deployed integrations. Verify whether
the action was authorized. If unauthorized, delete the API using the
DeleteRestApi action, revoke permissions from the AWS IAM user or role who
created it, and investigate for signs of further compromise.