AWS Network Configuration Discovery

View all detections
AWS Network Configuration Discovery


  • An AWS control-plane API was observed programmatically enumerating the configuration details associated with the Virtual Private Network (VPC) such as Network Interfaces, Gateways, Network ACLs and Route Tables.

Possible Root Causes

  • An attacker may be actively enumerating how networks in the environment are configured in order to further their attack.
  • An administrator may intentionally be enumerating network configurations as part of their normal duties.

Business Impact

  • Recon may indicate the presence of an adversary gaining details necessary to support additional malicious activities within the environment. A successful attack may yield information that can be used by an adversary to mount a campaign within the AWS Environment.

Steps to Verify

  • Investigate the Principal that performed the action for other signs of malicious activity.
  • Investigate if any modifications were made to the enumerated VPCs such as changes to Network Interfaces, Gateways, Network ACLs or Routing Tables.
  • Validate that any changes were authorized, given the purpose and policies governing this resource.
  • If review indicates possible malicious actions or high-risk configuration change:
    - Revert configuration change.
    - Disable credentials associated with this alert.
    - Perform a comprehensive investigation to determine initial compromise and the scope of impacted resources.