Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
5 Days |
Required Data |
|
Detection Modules |
Cloud |
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
An AWS service token was used externally of the cloud environment.
Attacker's Goals
Exfiltrate a token and abuse it remotely.
Investigative actions
- Check what actions were executed by the service.
- Check if the IAM role was assumed by a different identity.
- Check which API calls were executed by the access-key.
Variations
Remote usage of an AWS EKS tokenSuspicious usage of an AWS EKS token
Suspicious usage of an AWS ECS token
Remote usage of an AWS ECS token
Suspicious usage of AWS service token