Defenders should monitor for suspicious enumeration of cloud infrastructure components via APIs or CLI tools. Observable behaviors include repeated listing or description operations for compute instances, snapshots, storage buckets, and volumes. From a defender’s perspective, risky activity is often identified by new or untrusted identities making discovery calls (e.g., DescribeInstances, ListBuckets, az vm list, gcloud compute instances list), enumeration from unusual geolocations or IPs, or rapid multi-service discovery in sequence. Correlating discovery API usage with later snapshot creation or instance modification provides further context of adversary behavior.
| Data Component | Name | Channel |
|---|---|---|
| Instance Metadata (DC0086) | AWS:CloudTrail | DescribeInstances |
| Cloud Storage Enumeration (DC0017) | AWS:CloudTrail | ListBuckets |
| Instance Enumeration (DC0075) | AWS:CloudTrail | DescribeDBInstances |
| Field | Description |
|---|---|
| UserContext | Identity performing the discovery operation; tuned to filter known administrative or inventory accounts. |
| GeoLocation | Source region or IP of discovery requests; tuned to expected operational regions to detect unusual access. |
| TimeWindow | Correlation period to link enumeration calls with subsequent provisioning or exfiltration activity. |
| APIThreshold | Rate or volume of discovery calls; tuned to suppress noise from inventory management tools. |