AWS ListResources by long term access key
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detects usage of long-term AWS access keys to execute ListResources operations in AWS Resource Explorer. Identifies potential unauthorized resource discovery and reconnaissance activity using compromised or misused long-term credentials.
Strategy
This rule monitors AWS CloudTrail logs for ListResources events generated by the resource-explorer-2.amazonaws.com service, with a specific focus on long-term access keys. The ListResources API enables enumeration of AWS resources across accounts and regions, providing attackers with valuable information about the target environment’s infrastructure. Long-term access keys present elevated security risks compared to temporary credentials due to their indefinite lifespan and higher likelihood of being compromised through credential theft, insider threats, or poor key management practices.
Triage & Response
- Examine if the access key
{{@userIdentity.accessKeyId}} in region {{@awsRegion}} has legitimate authorization to list AWS resources. - Review the user identity associated with the access key and verify if resource enumeration aligns with their job responsibilities.
- Analyze the scope and frequency of
ListResources calls to determine if the activity indicates systematic reconnaissance. - Investigate the source IP address and geographic location to identify potential unauthorized access patterns.
- Check for correlated Resource Explorer API calls such as
CreateIndex or GetIndex from the same access key. - Determine if the access key has been recently rotated or shows other signs of potential compromise.
- Validate if the resource listing activity occurs during expected business hours and aligns with known operational procedures.
