Skip to content
Threat Feed
medium advisory

AWS Excessive Security Scanning Detection

Detection of excessive AWS API calls indicative of reconnaissance by an attacker attempting to map an AWS environment.

This threat brief outlines a detection strategy for identifying excessive security scanning activities within an AWS environment. Attackers often perform reconnaissance to map out the environment before launching further attacks. The detection focuses on monitoring AWS CloudTrail logs for a high volume of "Describe," "List," or "Get" API calls originating from a single user. This behavior, when exceeding a defined threshold, can indicate malicious reconnaissance. Specifically, this activity can be indicative of an attacker attempting to enumerate resources, identify potential vulnerabilities, and plan subsequent exploitation. The detection relies on analyzing CloudTrail logs for distinct event names related to these API calls and flagging users exceeding a count of 50.

Attack Chain

  1. The attacker gains initial access to an AWS environment, possibly through compromised credentials or a misconfigured IAM role.
  2. The attacker begins enumerating AWS resources using "Describe," "List," and "Get" API calls, such as DescribeInstances, ListBuckets, or GetSecurityGroups.
  3. These API calls are recorded in AWS CloudTrail logs, capturing the event name, user identity, source IP, and other relevant details.
  4. The attacker iterates through different AWS services, querying for information about EC2 instances, S3 buckets, IAM roles, security groups, and other resources.
  5. The attacker aggregates the information gathered to build a comprehensive understanding of the AWS environment's architecture, security posture, and potential attack vectors.
  6. The attacker uses the gathered information to identify vulnerable resources, misconfigurations, or exposed data.
  7. Based on the reconnaissance, the attacker plans and executes further attacks, such as exploiting vulnerable EC2 instances, accessing sensitive data in S3 buckets, or escalating privileges through compromised IAM roles.
  8. The final objective may include data exfiltration, denial-of-service attacks, or deployment of malware within the AWS environment.

Impact

Successful reconnaissance allows attackers to gain a detailed understanding of an AWS environment, significantly increasing their chances of successful exploitation. This can lead to unauthorized access to sensitive data, data exfiltration, service disruption, or complete compromise of the cloud infrastructure. Detecting and preventing excessive security scanning is crucial to mitigating these risks. This activity is especially dangerous if an attacker is able to scan and discover keys or access to other services.

Recommendation

  • Deploy the provided Sigma rule AWS Excessive Security Scanning to your SIEM and tune the threshold (currently set to 50 distinct events) based on your organization's baseline activity.
  • Investigate any alerts generated by the Sigma rule to determine the legitimacy of the detected scanning activity by reviewing associated source IPs from CloudTrail logs.
  • Enable and review AWS CloudTrail logs across all regions and accounts to ensure comprehensive visibility into API activity, which is the data source for the provided Sigma rule.
  • Implement anomaly detection on API call patterns to identify unusual reconnaissance activities.

Detection coverage 2

AWS Excessive Security Scanning

medium

Detects a single user performing an excessive number of Describe, List, or Get API calls in AWS, indicative of reconnaissance.

sigma tactics: discovery techniques: T1526 sources: cloudtrail, aws

AWS Excessive Security Scanning with Specific Event Names

medium

Detects excessive Describe, List, or Get API calls in AWS with a focus on specific event names often used for reconnaissance.

sigma tactics: discovery techniques: T1526 sources: cloudtrail, aws

Detection queries are available on the platform. Get full rules →