LoFP LoFP / t1580

t1580

TitleTags
administrators listing buckets, it may be necessary to filter out users who commonly conduct this activity.
administrators or automated systems may legitimately perform multiple `describe` and `list` api calls in a short time frame. verify the user identity and the purpose of the api calls to determine if the behavior is expected.
administrators or developers who are unaware of the deprecation status of amis they are using.
automated tools or scripts that query for deprecated amis as part of a security assessment.
it is possible to start this detection will need to be tuned by source ip or user. in addition, change the count values to an upper threshold to restrict false positives.
known or internal account ids or automation
legitimate use of deprecated amis for testing or development purposes.
legitimate use of the `describeinstances` api call by an aws resource that requires information about instances in multiple regions.
legitimate users may encounter multiple failures during permission testing, role transitions, or when service permissions are being reconfigured. high volumes of api errors may also occur during automated processes with misconfigured iam policies or when new bedrock features are being explored through api testing.
misconfigured applications or services that rely on deprecated amis for compatibility reasons.
scheduled tasks or scripts that require information about instances in multiple regions.