AWS Account Discovery By Rare User

Identifies the first time, within a lookback window, an identity performs AWS Organizations or IAM account enumeration APIs. Attackers with compromised credentials often map the organization (accounts, OUs, roots, delegated admins) and account-level metadata (aliases, summary) using the AWS CLI or SDKs. This is a New Terms rule detecting a rare occurrence of the cloud.account.id and user.name pair for these actions.

Rule type: new_terms
Rule indices:

• logs-aws.cloudtrail-*

Rule Severity: low
Risk Score: 21
Runs every:
Searches indices from: now-6m
Maximum alerts per execution: 100
References:

• https://kudelskisecurity.com/research/investigating-two-variants-of-the-trivy-supply-chain-compromise
• https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/organizations__enum/main.py

Tags:

• Domain: Cloud
• Domain: Identity
• Data Source: AWS
• Data Source: Amazon Web Services
• Data Source: AWS CloudTrail
• Data Source: AWS Organizations
• Data Source: AWS IAM
• Use Case: Threat Detection
• Tactic: Discovery
• Resources: Investigation Guide

Version: 1
Rule authors:

• Elastic

Rule license: Elastic License v2

AWS Organizations and IAM expose read APIs that reveal organization structure, member accounts, delegation, and account-level aliases. Threat actors and tools such as Pacu (organizations__enum) chain these calls to understand multi-account layout after credential access.

This rule uses New Terms to detect when an identity makes a discovery API call that has not been seen in the configured history window.

Identify the actor and session context

• Confirm who user.name and aws.cloudtrail.user_identity.arn represent (human, workload role, automation).

Analyze the source and origin

• Review source.ip, geolocation, and whether the call aligns with normal egress for that principal.
• Inspect user_agent.original for CLI, Boto3/Botocore, consoles, or unfamiliar tooling.

Correlate with additional events

• Correlate with STS*(GetCallerIdentity, AssumeRole) and broader discovery or privilege changes in the same session.
• If the principal is new or rarely used, review IAM policies and recent key rotation.

• Documented org-admin or security roles in the management account; add exceptions by ARN if needed.
• Centralized compliance or CSPM that enumerates org structure on a schedule.

• If unexpected, rotate credentials for the implicated principal, review CloudTrail for follow-on API activity, and tighten least privilege on Organizations/IAM read APIs where appropriate.

• AWS IR Playbooks

event.dataset: "aws.cloudtrail"
    and event.outcome: "success"
    and source.ip:*
    and not aws.cloudtrail.session_credential_from_console: "true"
    and not aws.cloudtrail.user_identity.type: "AWSService"
    and (
        (
            event.provider: "organizations.amazonaws.com"
            and event.action: (
                "DescribeOrganization" or "DescribeOrgnanizationalUnit" or "ListAccounts" or "ListRoots"
                or "ListOrganizationalUnitsForParent" or "ListAccountsForParent" or "ListPolicies"
                or "ListAWSServiceAccessForOrganization" or "ListDelegatedAdministrators"
                or "ListDelegatedServicesForAccount" or "DescribeResourcePolicy"
            )
        )
        or (
            event.provider: "iam.amazonaws.com"
            and event.action: ("ListAccountAliases" or "GetAccountSummary")
        )
    )
		

Framework: MITRE ATT&CK

• Tactic:

  • Name: Discovery
  • Id: TA0007
  • Reference URL: https://attack.mitre.org/tactics/TA0007/

• Technique:

  • Name: Account Discovery
  • Id: T1087
  • Reference URL: https://attack.mitre.org/techniques/T1087/

• Sub Technique:

  • Name: Cloud Account
  • Id: T1087.004
  • Reference URL: https://attack.mitre.org/techniques/T1087/004/

• Technique:

  • Name: Cloud Infrastructure Discovery
  • Id: T1580
  • Reference URL: https://attack.mitre.org/techniques/T1580/