Classification:

attack

Tactic:

TA0007-discovery

Technique:

T1526-cloud-service-discovery

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects denied List* and Get* AWS API calls made with a long-term IAM access key across many distinct regions for the same principal. An alert fires when that cross-region denied discovery pattern exceeds the rule’s configured threshold within the evaluation window.

Strategy

This rule monitors management events where @evt.name matches read-style discovery operations, @userIdentity.accessKeyId is a long-term IAM user key prefix AKIA, and @error.kind is AccessDenied. Activity is evaluated per IAM principal while counting how many different @awsRegion values appear for that pattern, surfacing principals whose denied discovery volume across regions crosses the threshold. The same shape of activity is uncommon for tightly scoped automation with correct least privilege and is a strong signal to validate credential use and policy intent.

Triage & Response

• Verify whether {{@userIdentity.arn}} and the associated access key are tied to approved automation, a shared service account, or an individual user.
• Review surrounding CloudTrail for the same {{@userIdentity.accessKeyId}} to see which APIs succeeded or failed and whether regions align with known workloads.
• Determine if AccessDenied on List* and Get* calls reflects deliberate policy guardrails or unexpected use of the key outside its intended scope.
• Identify when the key was issued or last rotated and whether any recent changes to IAM users, roles, or policies could explain the behavior.
• Check for correlated signals on the same principal or source IP around the alert time to distinguish misconfiguration from credential misuse.