AWS Suspect Credential Access from ECS

View all detections
AWS Suspect Credential Access from ECS


  • Credential was observed performing a set of API requests to retrieve a broad range of container configuration details which may further their attack through the leak of credentials or other data about the environment.

Possible Root Causes

  • An attacker may be actively looking for privilege escalation opportunities.
  • A security or IT service may intentionally be enumerating these APIs for monitoring or configuration management reasons.

Business Impact

  • Stolen credentials allow an adversary to leverage authorized services and APIs to extend their attack which can be difficult for traditional security solutions to detect.
  • Abused credentials are typically associated with impactful attacks, and if unmitigated may increase the likelihood that an adversary may inflict a loss of data or service availability.

Steps to Verify

  • Investigate the account context that performed the action for other signs of malicious activity.
  • Validate that any modifications are authorized, given the purpose and policies governing this resource.
  • If review indicates possible malicious actions or high-risk configuration, revert configuration and disable credentials associated with this alert then perform a comprehensive investigation.