AWS Identity API Access from Rare ASN Organizations

This detection identifies AWS identities that primarily use API traffic originating from well-known cloud providers (e.g., Amazon, Google, Microsoft), but also exhibit a small amount of traffic from less common Autonomous System (AS) organizations. This pattern can indicate that automation or CI credentials are being reused or pivoted outside of their usual hosted cloud environment. The detection focuses on successful API calls and looks for a combination of high volume from trusted cloud providers and at least one sensitive action originating from an uncommon network. This behavior could be indicative of credential compromise and lateral movement. This rule was published by Elastic on 2026-04-22.

Attack Chain

1. An attacker gains access to valid AWS credentials, potentially through phishing, credential stuffing, or exposed secrets.
2. The attacker uses the compromised credentials to make API calls from their own infrastructure, which is associated with a rare AS organization.
3. The attacker performs reconnaissance, such as GetCallerIdentity, ListBuckets, or ListSecrets, to understand the AWS environment.
4. The attacker attempts to escalate privileges by calling AssumeRole, AttachUserPolicy, or CreateAccessKey.
5. The attacker attempts to access sensitive data using actions such as GetObject or GetSecretValue.
6. The attacker attempts to create new users or modify existing user profiles using actions such as CreateUser, UpdateLoginProfile, or AddUserToGroup.
7. The attacker may attempt to invoke cloud ML models using InvokeModel or Converse to further their objectives.
8. The attacker persists in the environment by creating new IAM users, roles, or policies, or by modifying existing ones.

Impact

A successful attack can lead to unauthorized access to sensitive data stored in S3 buckets, Secrets Manager, or other AWS services. It can also allow the attacker to escalate privileges, create new users, and modify existing configurations, leading to long-term control of the AWS environment. The severity of the impact depends on the level of access granted to the compromised credentials. This can lead to exfiltration of sensitive data, denial of service, or complete compromise of the AWS account.

Recommendation

• Enable AWS CloudTrail logging in all regions and send logs to a centralized SIEM or logging platform to enable detection capabilities (references).
• Deploy the Sigma rule “AWS Rare Source AS Organization Activity” translated from the provided ESQL query to detect unusual source ASNs for AWS API calls.
• Investigate alerts generated by the rule, focusing on the user.name, aws.cloudtrail.user_identity.type, Esql.src_asn_values, and Esql.untrusted_suspicious_actions to understand the context of the activity.
• Rotate credentials for the affected principal if abuse is suspected and enforce OIDC or short-lived keys for automation.
• Tighten IAM and data-plane permissions to limit the impact of compromised credentials.