For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/0kb-4zy-y2r.md. A documentation index is available at /llms.txt.

Anomalous API Gateway API key reads by user

cloudtrail

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1552-unsecured-credentials

Goal

Detect when a user is enumerating API Gateway API keys.

Strategy

Baseline GetApiKeys events by @userIdentity.session_name to surface anomalous GetApiKeys calls.

Triage and response

  1. Investigate activity for the following ARN {{@userIdentity.arn}} using {{@userIdentity.session_name}}.
  2. Review any other security signals for {{@userIdentity.arn}}.