Lateral movement

AWS Suspect Region Activity

AWS Suspect Region Activity

Detection overview

Triggers

  • An AWS control-plane API was observed being invoked in a geographic service region which is not normally used in your cloud environment.

Possible Root Causes

  • An attacker is operating out of an unused geographic service region in order to evade detection.
  • An administrator or automated task is creating resources in a previously unused geographic service region, as a part of normal activities.

Business Impact

  • If logging and monitoring is not inclusive of all regions, a successful attack within an unused region would evade detection capabilities.
  • An organization could be hindered from both investigating historical activity and auditing any current activity within the region.

Steps to Verify

  • Investigate the Principal which performed the actions for other signs of malicious activity.
  • Discuss with the user to determine if the activity is known and legitimate.
  • Review Logging and Monitoring coverage for the region to ensure it is adequate.
  • Review available internal documentations such as a Cloud Security Policy for details on approved AWS service regions.
  • If review indicates possible malicious actions or high-risk configuration:
  • Revert any configuration changes
  • Disable credentials associated with this alert
  • Perform a comprehensive investigation to determine initial compromise and scope of impacted resources
AWS Suspect Region Activity

Possible root causes

Malicious Detection

Benign Detection

AWS Suspect Region Activity

Example scenarios

AWS Suspect Region Activity

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

AWS Suspect Region Activity

Steps to investigate

AWS Suspect Region Activity

MITRE ATT&CK techniques covered

AWS Suspect Region Activity

Related detections

No items found.

FAQs