Product
medium
advisory
AWS EC2 Role GetCallerIdentity from New Source AS Organization
2 rules 1 TTPThe rule detects when an EC2 instance role session calls AWS STS GetCallerIdentity from a new source autonomous system (AS) organization name, indicating potential credential theft and verification from outside expected egress paths.
Amazon Web Services
cloud
aws
getcalleridentity
ec2
discovery
2r
1t
medium
advisory
AWS Discovery API Calls from VPN ASN by New Identity
2 rules 1 TTPThis rule detects the initial use of AWS discovery APIs from VPN-associated ASNs by a previously unseen identity, indicating potential reconnaissance activity.
Amazon Web Services
cloud
aws
discovery
vpn
2r
1t
medium
advisory
AWS IAM Customer Managed Policy Version Manipulation for Privilege Escalation
2 rules 2 TTPsSuccessful creation of new or setting default versions of customer-managed IAM policies can indicate privilege escalation attempts by attackers modifying policy permissions.
Amazon Web Services
privilege-escalation
aws
iam
2r
2t