Product

Amazon Web Services

5 briefs RSS

AWS AssumeRoleWithWebIdentity from Kubernetes SA and External ASN

Detects successful AWS AssumeRoleWithWebIdentity where the caller identity is a Kubernetes service account and the source autonomous system organization is not Amazon.com, Inc., potentially indicating a stolen or misused service-account token being used off-cluster.

Amazon Web Services aws cloudtrail iam eks irsa initial-access

2r 1t 2w ago

medium advisory

AWS EC2 Role GetCallerIdentity from New Source AS Organization

2 rules 1 TTP

The rule detects when an EC2 instance role session calls AWS STS GetCallerIdentity from a new source autonomous system (AS) organization name, indicating potential credential theft and verification from outside expected egress paths.

Amazon Web Services cloud aws getcalleridentity ec2 discovery

2r 1t May 1, 2026

medium advisory

AWS Discovery API Calls from VPN ASN by New Identity

2 rules 1 TTP

This rule detects the initial use of AWS discovery APIs from VPN-associated ASNs by a previously unseen identity, indicating potential reconnaissance activity.

Amazon Web Services cloud aws discovery vpn

2r 1t May 1, 2026

medium advisory

AWS IAM Customer Managed Policy Version Manipulation for Privilege Escalation

2 rules 2 TTPs

Successful creation of new or setting default versions of customer-managed IAM policies can indicate privilege escalation attempts by attackers modifying policy permissions.

Amazon Web Services privilege-escalation aws iam

2r 2t Jan 3, 2024

medium advisory

AWS Network Access Control List Deletion Detected

2 rules 1 TTP

Detection of AWS Network Access Control List (ACL) deletion using AWS CloudTrail logs, which can remove critical access restrictions, potentially allowing unauthorized access to cloud instances and leading to data exfiltration or further compromise.

Splunk Enterprise +3 cloud aws network

2r 1t Jan 2, 2024