Cloud Service Discovery
Info
ID: AT-EC001
Tactic: Expanding Control
Platforms: IaaS
Sub-techniques: API-based Resource Listing, Open-source discovery tools
Permissions Required: User, Cloud Service Account
Version: 1.0
Cloud Service Discovery
Adversaries may query available APIs or management interfaces to list cloud resources such as instances, containers, serverless functions, or databases. They can also scan for open ports and services, gleaning an overview of the target's operational footprint. With a clear map of the resources in use, attackers can methodically expand their compromise by focusing on exposed or misconfigured assets.
In large cloud environments, discovering ephemeral resources or analyzing region-by-region configurations can reveal overlooked vulnerabilities. Moreover, the attacker might detect staging or test instances with weaker security that still connect to production data. By enumerating everything from virtual machines to managed data services, adversaries maximize lateral movement opportunities and the ultimate impact of their attack.
Detection
| ID | Data Source | Detection |
|---|---|---|
| DS0025 | Cloud Service Enumeration & Metadata | Alert on principals issuing unexpected List*/Describe* calls across services in specific timeframe. |
| DS0030 | Cloud Service Metadata | Detect use of undocumented API versions or regions disabled by policy. |
| DS0029 | Network Traffic Flow | Flag bursts of control-plane traffic from unexpected geographic ASN/IPs to cloud APIs. |
| DS0002 | User Account Authentication | Correlate enumeration bursts with session type; raise severity if from programmatic key never previously used. |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1018 | User Account Management | Implement least privilege access for cloud service discovery |
| M1030 | Network Segmentation | Implement network segmentation to limit cloud service discovery |
| M1020 | SSL/TLS Inspection | Monitor and inspect cloud service discovery traffic |