AWS Organization Discovery

View all detections
AWS Organization Discovery


  • A user lists AWS account aliases via ListAliases or retrieves details for the AWS organization via DescribeOrganization

Possible Root Causes

  • An attacker is enumerating details on the AWS organization to further their attack planning and next steps.
  • An administrator or user is retrieving organization details as part of their normal duties.
  • Automation in the environment is collecting these details to support additional activities.

Business Impact

  • Recon may indicate the presence of an adversary gaining details necessary to support additional malicious activities within the environment.

Steps to Verify

  • Investigate the account context that performed the action for other signs of malicious activity.
  • If review indicates possible malicious actions or high-risk configuration, revert configuration and disable credentials associated with this alert then perform a comprehensive investigation.