AWS Suspect Credential Access from ECS
Detection overview
Triggers
- Credential was observed performing a set of API requests to retrieve a broad range of container configuration details which may further their attack through the leak of credentials or other data about the environment.
Possible Root Causes
- An attacker may be actively looking for privilege escalation opportunities.
- A security or IT service may intentionally be enumerating these APIs for monitoring or configuration management reasons.
Business Impact
- Stolen credentials allow an adversary to leverage authorized services and APIs to extend their attack which can be difficult for traditional security solutions to detect.
- Abused credentials are typically associated with impactful attacks, and if unmitigated may increase the likelihood that an adversary may inflict a loss of data or service availability.
Steps to Verify
- Investigate the account context that performed the action for other signs of malicious activity.
- Validate that any modifications are authorized, given the purpose and policies governing this resource.
- If review indicates possible malicious actions or high-risk configuration, revert configuration and disable credentials associated with this alert then perform a comprehensive investigation.
AWS Suspect Credential Access from ECS
Possible root causes
Malicious Detection
Benign Detection
AWS Suspect Credential Access from ECS
Example scenarios
AWS Suspect Credential Access from ECS
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
AWS Suspect Credential Access from ECS
Steps to investigate
AWS Suspect Credential Access from ECS
Related detections
No items found.