Suspicious activity

List s3 bucket API call was made from a malicious IP address

Risk Level

Hazardous (3)



Orca detected that an API call to list S3 buckets was made from a malicious IP - {MaliciousIp.MaliciousIp}. This action may indicate of a presence of an unauthorized actor in the cloud environment, since listing S3 buckets is a common enumeration action attackers conduct in the reconnaissance phase. AWS proactively monitors popular code repository sites for exposed AWS Identity and Access Management (IAM) access keys. On detection of an exposed IAM access key, a policy named 'AWSExposedCredentialPolicy_DO_NOT_REMOVE' is assigned to the IAM user in order to notify on the leaked access key.
  • Recommended Mitigation

    It is recommended to review relevant CloudTrail event and principal's activity that issued this API call.