Classification:

attack

Tactic:

TA0007-discovery

Technique:

T1580-cloud-infrastructure-discovery

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects usage of long-term AWS access keys to execute CreateIndex operations in AWS Resource Explorer. Identifies potential unauthorized discovery activity using compromised or misused long-term credentials.

Strategy

This rule monitors AWS CloudTrail logs for CreateIndex events generated by the resource-explorer-2.amazonaws.com service, with a specific focus on long-term access keys. AWS Resource Explorer allows users to search and discover AWS resources across regions and accounts, making it valuable for both legitimate administration and malicious reconnaissance. Long-term access keys pose a higher security risk than temporary credentials because they do not expire automatically and are more likely to be compromised or misused by unauthorized actors.

Triage & Response

• Examine if the access key {{@userIdentity.accessKeyId}} in region {{@awsRegion}} has legitimate authorization to create resource indexes.
• Review the user identity associated with the access key and verify if index creation aligns with their normal responsibilities.
• Check for additional Resource Explorer API calls from the same access key to understand the scope of discovery activity.
• Investigate the source IP address and geographic location of the API calls to identify potential unauthorized access.
• Determine if the access key shows signs of compromise by reviewing recent authentication patterns and usage locations.
• Validate if the timing of the CreateIndex operation aligns with known maintenance windows or legitimate administrative tasks.