Adversary gains access to cloud-hosted services such as AWS SES, SNS, or OpenAI API, enables or modifies usage policies, and initiates resource-intensive actions (e.g., mass email/SMS or LLM queries), often from unauthorized regions or under anomalous identity conditions.
| Data Component | Name | Channel |
|---|---|---|
| Cloud Service Modification (DC0069) | AWS:CloudTrail | PutIdentityPolicy |
| Application Log Content (DC0038) | AWS:CloudTrail | SendEmail |
| User Account Metadata (DC0013) | AWS:CloudTrail | AssumeRole |
| Field | Description |
|---|---|
| TimeWindow | Define threshold period over which request spikes are measured. E.g., 10 min or 1 hour windows. |
| UserContext | Alert only if role/user is outside expected automation identity list. |
| RequestVolumeThreshold | Customize the number of emails/SMS or API calls considered anomalous. |
| GeoVelocityThreshold | Tune geolocation jump logic (e.g., login from US, then use service in Asia within minutes). |
| ModelUsageQuotaSpike | Set maximum allowable deviation from past 7-day average OpenAI/GPT token usage. |