This alert will trigger once the logging capabilities of API gateway stages are disabled over more then 3 account in 10 minutes. Stages are used as API versions and have their own logging capabilities that may be removed manually. If a bad actor gains access to the API gate way, he will want to disable the relevant stage Logging capabilities to prevent his actions from being discovered. Impact Malicious actor acquiring API access and carrying out several activities with no logged evidence. Mitigation Re-enable the stages logging capabilities. Check with the appropriate users from each impacted account to see why the logging privileges were deactivated. If the users are unaware of such behavior, additional investigation is required in accordance with business policy.

This alert will trigger when the logging capabilities of more then 3 API stage are disabled over a timespan of 10 minutes. Stages are used as API versions and have their own logging capabilities that may be removed manually. If a bad actor gains access to the API gate way, he will want to disable the relevant stage Logging capabilities to prevent his actions from being discovered. Impact Malicious actor acquiring API access and carrying out several activities with no logged evidence. Mitigation Re-enable the stages logging capabilities. Check with the appropriate user to see why the logging capabilities of this stage were deactivated. If the user is unaware of such behavior, additional investigation is required in accordance with business policy.

This alert will trigger when the logging capabilities of an API stage are disabled. Stages are used as API versions and have their own logging capabilities that may be removed manually. If a bad actor gains access to the API gate way, he will want to disable the relevant stage Logging capabilities to prevent his actions from being discovered. Impact Malicious actor acquiring API access and carrying out several activities with no logged evidence. Mitigation Re-enable the stages logging capabilities. Check with the appropriate user to see why the logging capabilities of this stage were deactivated. If the user is unaware of such behavior, additional investigation is required in accordance with business policy.

This alert will trigger when an API gateways is deleted. API gateways are used to give additional capabilities that are not available through the AWS CLI. Malicious actors will attempt to destroy the APIs so that relevant employees cannot interfere with their operations. Impact Employees are losing access to API capabilities that they rely on on a daily basis. Mitigation Validate the cause for the deletion of the API with the relevant user. If necessary, rebuild the lost API and do more research in accordance with business policy.

This alert will trigger when more then 3 API gateways are being deleted over a timespan of 10 minutes. API gateways are used to give additional capabilities that are not available through the AWS CLI. Malicious actors will attempt to destroy the APIs so that relevant employees cannot interfere with their operations. Impact Employees are losing access to API capabilities that they rely on on a daily basis. Mitigation Validate the cause for the deletion of such APIs with the relevant user. If necessary, rebuild the lost APIs and do more research in accordance with business policy.

This alert will trigger when API gateways are being deleted in more then 3 account over a timespan of 10 minutes. API gateways are used to give additional capabilities that are not available through the AWS CLI. Malicious actors will attempt to destroy the APIs so that relevant employees cannot interfere with their operations. Impact Employees are losing access to API capabilities that they rely on on a daily basis. Mitigation In the applicable account, confirm the reason for API deletion. If necessary, rebuild the lost APIs and do more research in accordance with business policy.

This alert will trigger when a disabled API gateway is enabled. API gateways are used to give additional features that are not available through the usual AWS CLI. The API gateway can be disabled for a variety of reasons, including setup errors that may damage environment security or because the API is no longer required. Malicious actors would try to locate those APIs and re-enable them for their own reasons. Impact Malicious actors having access to an API that could give him with sensitive information. Mitigation Confirm the rationale for re-enabling this API with the appropriate user. If necessary, disable the API and do additional research in accordance with business policy.

This alert will trigger when an existing API gateway is being disabled. API gateways are used to provide additional API capabilities that are not available through the AWS CLI. Malicious actors may attempt to block certain API gateways in order to prevent appropriate employees from interfering with their actions. Impact Employees are losing access to functions that they require on a daily basis. Mitigation Examine the cause behind the API's deactivation. Re-enable the API if necessary. If necessary, conduct more research in accordance with business policy.

When a new API gateway is created, this alert will be triggered. Malicious actors will attempt to construct new API gateways in order to conceal their activities by not using the AWS CLI, which CloudTrail can easily monitor. Impact Without being watched, a malicious actor gains API access to the AWS environment. Mitigation Confirm with the appropriate user why the new API gateway was built. If the user is unfamiliar with the establishment of the API, delete it and conduct additional investigation in accordance with business policy. If the API is required, ensure that logging to the appropriate stages is enabled.

This alert will be triggered when a private API becomes public. Private APIs are intended to be used within the AWS environment; however, once a private API is made public, it can be accessed from outside the environment.n Impact Malicious actors may get access to the API in order to carry out actions that are not permitted by standard APIs. Mitigation Validate the justification for the API's public release.nRevert the API to private if necessary.