<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Aws-Cloudtrail - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/aws-cloudtrail/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 15 Jul 2026 14:02:20 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/aws-cloudtrail/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS Discovery API Calls from VPN ASN for the First Time by Identity</title><link>https://feed.craftedsignal.io/briefs/2026-07-aws-discovery-vpn-asn/</link><pubDate>Wed, 15 Jul 2026 14:02:20 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-aws-discovery-vpn-asn/</guid><description>This threat detection rule identifies initial reconnaissance activities within AWS by flagging an IAM principal's first-time invocation of sensitive discovery APIs, such as GetCallerIdentity, ListUsers, ListBuckets, and DescribeInstances, when the originating IP address is associated with consumer VPNs, high-usage hosting providers, or networks linked to threat groups like TeamPCP, indicating an attacker performing enumeration of cloud resources from a suspicious network origin.</description><content:encoded><![CDATA[<p>This brief details detection of suspicious AWS discovery API calls originating from Autonomous System Numbers (ASNs) commonly associated with consumer VPN services, VPN-heavy hosting providers, or networks previously linked to groups such as TeamPCP. The detection flags the <em>first time</em> a specific AWS Identity and Access Management (IAM) principal is observed invoking a curated list of high-signal discovery APIs (e.g., <code>GetCallerIdentity</code>, <code>ListUsers</code>, <code>ListBuckets</code>, <code>DescribeInstances</code>) from an IP address mapped to one of the identified suspicious ASNs. This activity is indicative of an adversary conducting reconnaissance in an AWS environment, attempting to gather information about account configurations, IAM users, roles, and deployed resources. While some of these ASNs are dual-use (legitimate hosting providers), their association with sensitive API calls from a previously unseen principal, as detected by this rule, suggests potential unauthorized access and enumeration attempts.</p>
<h2 id="impact">Impact</h2>
<p>Successful execution of these discovery activities allows attackers to gain critical insights into the target AWS environment. This reconnaissance can reveal the structure of an organization's cloud infrastructure, identify potential misconfigurations, map out IAM users and their permissions, and locate valuable data stored in S3 buckets or other services. This information is crucial for an attacker to plan subsequent stages of an attack, such as privilege escalation, lateral movement, or data exfiltration. The financial impact can include unauthorized resource usage, data breaches, and regulatory fines. Operational impact can manifest as service disruptions, loss of data integrity, and reputational damage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Deploy the Sigma rule</strong> in this brief to your SIEM, noting that the &quot;first time&quot; detection is an Elastic-specific feature and the Sigma rule will detect <em>any</em> matching event.</li>
<li><strong>Monitor AWS CloudTrail logs</strong> for <code>event.action</code> values such as <code>GetCallerIdentity</code>, <code>ListUsers</code>, <code>ListBuckets</code>, <code>DescribeInstances</code> originating from <code>source.as.number</code> values identified in the rule.</li>
<li><strong>Review <code>aws.cloudtrail.user_identity.arn</code>, <code>event.action</code>, and <code>source.as.number</code></strong> for any alerts generated by the rule, comparing against your organization's approved remote access patterns.</li>
<li><strong>Implement GeoIP and ASN enrichment</strong> for <code>source.ip</code> to ensure <code>source.as.number</code> is populated in your AWS CloudTrail logs, enabling this detection.</li>
<li><strong>Rotate keys and revoke sessions</strong> for any <code>aws.cloudtrail.user_identity.access_key_id</code> found to be associated with suspicious activity.</li>
<li><strong>Regularly review and update the list of suspicious ASNs</strong> using resources like BGP.tools, RIPE, or peeringdb, as referenced in the rule's <code>note</code>.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">threat</category><category>aws-cloudtrail</category><category>iam</category><category>discovery</category><category>cloud</category><category>identity</category><category>threat-detection</category></item></channel></rss>