- A user lists AWS account aliases via ListAliases or retrieves details for the AWS organization via DescribeOrganization
Possible Root Causes
- An attacker is enumerating details on the AWS organization to further their attack planning and next steps.
- An administrator or user is retrieving organization details as part of their normal duties.
- Automation in the environment is collecting these details to support additional activities.
- Recon may indicate the presence of an adversary gaining details necessary to support additional malicious activities within the environment.
Steps to Verify
- Investigate the account context that performed the action for other signs of malicious activity.
- If review indicates possible malicious actions or high-risk configuration, revert configuration and disable credentials associated with this alert then perform a comprehensive investigation.