AWS Suspect Escalation Reconnaissance

AWS Suspect Escalation Reconnaissance

Detection overview

The AWS Suspect Escalation Reconnaissance detection identifies unusual or unauthorized attempts to gain visibility into AWS Identity and Access Management (IAM) roles, permissions, and access keys. This activity often precedes privilege escalation attacks, where attackers aim to determine potential escalation paths or abuse misconfigured permissions for unauthorized access. By flagging suspicious reconnaissance behavior, this detection helps security teams intercept malicious actors before they gain elevated access to critical cloud resources.

Triggers

  • Credential was observed performing a set of unusual API requests that can be associated with the discovery or subsequent phase of an attack.

Possible Root Causes

  • An attacker may be actively looking for privilege escalation opportunities,
  • A security or IT service may intentionally be enumerating these APIs for monitoring reasons.

Business Impact

  • Privilege escalation may indicate the presence of an adversary that is modifying permissions to progress towards an objective.

Steps to Verify

  • Investigate the account context that performed the action for other signs of malicious activity.
  • Validate that any modifications are authorized, given the purpose and policies governing this resource.
  • If review indicates possible malicious actions or high-risk configuration, revert configuration and disable credentials associated with this alert then perform a comprehensive investigation.
AWS Suspect Escalation Reconnaissance

Possible root causes

Malicious Detection

Malicious actors performing AWS suspect escalation reconnaissance aim to identify vulnerabilities in IAM permissions. This can include searching for over-permissive roles, roles with privileges that allow privilege escalation (e.g., iam:PassRole or sts:AssumeRole), or access keys with higher-than-necessary privileges. Attackers often use this information to gain unauthorized access to critical resources, execute lateral movement, or escalate privileges to compromise the cloud environment entirely. Tools like AWS CLI, SDKs, or third-party reconnaissance tools are often employed to automate this discovery process.

Benign Detection

In legitimate scenarios, AWS administrators or DevOps engineers may engage in IAM role and policy enumeration as part of routine audits or compliance checks. For instance, querying IAM roles and policies is common during role-based access reviews, permissions cleanup, or while configuring and validating cloud infrastructure. Such activities, although valid, could resemble reconnaissance behavior and may inadvertently trigger the detection.

AWS Suspect Escalation Reconnaissance

Example scenarios

Malicious scenario: Attacker probing IAM roles

An attacker compromises AWS access keys through phishing and begins querying IAM roles and attached policies using ListRoles and GetRolePolicy. This detection triggers, highlighting the reconnaissance activity before the attacker identifies and exploits a vulnerable privilege escalation path.

Benign scenario: Admin performing compliance checks

A cloud administrator conducts an IAM policy review to identify and clean up overly permissive roles. The admin uses AWS CLI to query policies and roles for a detailed audit. This legitimate activity triggers the detection due to its similarity to attacker reconnaissance.

AWS Suspect Escalation Reconnaissance

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Compromise of critical resources

Attackers identifying misconfigured roles may escalate privileges and gain unauthorized access to sensitive data or services.

Regulatory and compliance risk

A breach resulting from IAM privilege misuse can expose sensitive data, potentially leading to non-compliance with regulations like GDPR or HIPAA.

Operational disruption

Privilege escalation can enable attackers to modify configurations or disrupt operations, potentially impacting business continuity.

AWS Suspect Escalation Reconnaissance

Steps to investigate

AWS Suspect Escalation Reconnaissance

MITRE ATT&CK techniques covered

AWS Suspect Escalation Reconnaissance

Related detections

FAQs