<  Back to rules search

Anomalous API Gateway API key reads by user

cloudtrail

Classification:

attack

Tactic:

Goal

Detect when a user is enumerating API Gateway API keys.

Strategy

Baseline GetApiKeys events by @userIdentity.session_name to surface anomalous GetApiKeys calls.

Triage and response

  1. Investigate activity for the following ARN {{@userIdentity.arn}} using {{@userIdentity.session_name}}.
  2. Review any other security signals for {{@userIdentity.arn}}.