Classification:

attack

Tactic:

TA0007-discovery

Technique:

T1580-cloud-infrastructure-discovery

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects usage of long-term AWS access keys to execute ListResources operations in AWS Resource Explorer. Identifies potential unauthorized resource discovery and reconnaissance activity using compromised or misused long-term credentials.

Strategy

This rule monitors AWS CloudTrail logs for ListResources events generated by the resource-explorer-2.amazonaws.com service, with a specific focus on long-term access keys. The ListResources API enables enumeration of AWS resources across accounts and regions, providing attackers with valuable information about the target environment’s infrastructure. Long-term access keys present elevated security risks compared to temporary credentials due to their indefinite lifespan and higher likelihood of being compromised through credential theft, insider threats, or poor key management practices.

Triage & Response

• Examine if the access key {{@userIdentity.accessKeyId}} in region {{@awsRegion}} has legitimate authorization to list AWS resources.
• Review the user identity associated with the access key and verify if resource enumeration aligns with their job responsibilities.
• Analyze the scope and frequency of ListResources calls to determine if the activity indicates systematic reconnaissance.
• Investigate the source IP address and geographic location to identify potential unauthorized access patterns.
• Check for correlated Resource Explorer API calls such as CreateIndex or GetIndex from the same access key.
• Determine if the access key has been recently rotated or shows other signs of potential compromise.
• Validate if the resource listing activity occurs during expected business hours and aligns with known operational procedures.