AWS ListResources executed by new principal identity

This rule is part of a beta feature. To learn more, contact Support.
cloudtrail

Classification:

attack

Tactic:

TA0007-discovery

Technique:

T1580-cloud-infrastructure-discovery

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detects first-time execution of ListResources operations by previously unseen AWS principal identities. Identifies potential unauthorized resource discovery activity from new or compromised accounts.

Strategy

This rule analyzes AWS CloudTrail logs for ListResources events from the resource-explorer-2.amazonaws.com service, using a new value detection on @userIdentity.principalId. It establishes a baseline of principals who have previously executed ListResources operations and triggers an alert when a principal identity is observed performing this action for the first time. Since the ListResources API in AWS Resource Explorer enables broad visibility into resources across accounts and regions, its use by a new principal could signal account compromise, privilege escalation, or unauthorized access, in addition to legitimate administrative activity.

Triage & Response

  • Examine the principal identity {{@userIdentity.principalId}} to determine if it represents a legitimate user, role, or service account.
  • Review the account creation date and recent access patterns to identify if this is a newly provisioned legitimate account.
  • Investigate the authentication method and source location of the ListResources calls to detect potential unauthorized access.
  • Check for additional AWS API calls from the same principal to understand the full scope of their activity.
  • Validate if the principal has appropriate IAM permissions for Resource Explorer operations and if these permissions were recently granted.
  • Determine if the timing of the first ListResources execution correlates with known onboarding activities or role assignments.