Anomalous API Gateway API key reads by user

cloudtrail

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1552-unsecured-credentials

Goal

Detect when a user is enumerating API Gateway API keys.

Strategy

Baseline GetApiKeys events by @userIdentity.session_name to surface anomalous GetApiKeys calls.

Triage and response

  1. Investigate activity for the following ARN {{@userIdentity.arn}} using {{@userIdentity.session_name}}.
  2. Review any other security signals for {{@userIdentity.arn}}.
PREVIEWING: hakanb/add-fail-incomplete-chain-advanced-option-to-synthetic-api-tests