Skip to content
Threat Feed
low advisory

AWS Discovery API Calls via CLI from a Single Resource

A single AWS resource is making multiple read-only discovery API calls via the AWS CLI within a 10-second window, indicating potential reconnaissance attempts using compromised credentials or a compromised instance.

This detection identifies suspicious AWS infrastructure discovery activity. Specifically, it detects when a single AWS identity executes more than five unique discovery-related API calls (Describe*, List*, Get*, or Generate*) within a 10-second window using the AWS CLI. This activity may indicate an actor attempting to discover the AWS infrastructure using compromised credentials or a compromised instance. The rule excludes service accounts and console behavior and filters specifically for AWS CLI usage. This behavior is often an early phase of compromise, helping adversaries to identify potential targets for further exploitation or gain a better understanding of the target's infrastructure. This detection focuses on AWS CloudTrail logs. The first version of this rule was created on 2024/11/04 and updated on 2026/04/10.

Attack Chain

  1. An attacker gains access to AWS credentials through methods like credential stuffing or phishing.
  2. The attacker uses the AWS CLI with the compromised credentials from a compromised host.
  3. The attacker executes multiple 'Describe', 'List', 'Get', or 'Generate' API calls, such as DescribeInstances, ListRoles, ListAccessKeys, or ListBuckets.
  4. The attacker gathers information about the AWS environment, including EC2 instances, IAM roles, S3 buckets, and KMS keys.
  5. The attacker identifies potential targets for further exploitation based on the gathered information.
  6. The attacker attempts to escalate privileges or move laterally within the AWS environment.
  7. The attacker may exfiltrate sensitive data from discovered resources or deploy malicious workloads.

Impact

Successful discovery of an AWS environment can enable attackers to identify and exploit vulnerable resources, potentially leading to data breaches, service disruptions, or unauthorized access to sensitive information. The low severity reflects the early stage of reconnaissance, but a successful attack can still lead to significant damage.

Recommendation

  • Enable AWS CloudTrail logging in all regions to capture API activity and enable the detection rule.
  • Deploy the Sigma rule "AWS Discovery API Calls via CLI from a Single Resource" to your SIEM and tune the threshold based on your environment's baseline activity.
  • Investigate any alerts generated by the Sigma rule, focusing on the identified actor, source IP, and API call patterns.
  • Implement strict IAM policies and multi-factor authentication (MFA) to prevent credential compromise.
  • Monitor the source IPs (Esql.source_ip_values) for unusual or external activity using a firewall.

Detection coverage 2

AWS Discovery API Calls via CLI from a Single Source IP

medium

Detects multiple AWS discovery API calls from a single source IP via the AWS CLI within a short time frame.

sigma tactics: discovery techniques: T1580 sources: network_connection, aws

AWS Multiple Discovery API Calls by User ARN via CLI

low

Detects multiple distinct AWS discovery API calls by a single user ARN via AWS CLI within a 10 second window.

sigma tactics: discovery techniques: T1526 sources: cloudtrail, aws

Detection queries are available on the platform. Get full rules →