Lateral movement
AWS Suspect Region Activity
Detection overview
Triggers
- An AWS control-plane API was observed being invoked in a geographic service region which is not normally used in your cloud environment.
Possible Root Causes
- An attacker is operating out of an unused geographic service region in order to evade detection.
- An administrator or automated task is creating resources in a previously unused geographic service region, as a part of normal activities.
Business Impact
- If logging and monitoring is not inclusive of all regions, a successful attack within an unused region would evade detection capabilities.
- An organization could be hindered from both investigating historical activity and auditing any current activity within the region.
Steps to Verify
- Investigate the Principal which performed the actions for other signs of malicious activity.
- Discuss with the user to determine if the activity is known and legitimate.
- Review Logging and Monitoring coverage for the region to ensure it is adequate.
- Review available internal documentations such as a Cloud Security Policy for details on approved AWS service regions.
- If review indicates possible malicious actions or high-risk configuration:
- Revert any configuration changes
- Disable credentials associated with this alert
- Perform a comprehensive investigation to determine initial compromise and scope of impacted resources
AWS Suspect Region Activity
Possible root causes
Malicious Detection
Benign Detection
AWS Suspect Region Activity
Example scenarios
AWS Suspect Region Activity
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
AWS Suspect Region Activity
Steps to investigate
AWS Suspect Region Activity
Related detections
No items found.