How to Monitor and Protect Your AWS Account from High Privilege and Disruptive API Calls?

Amazon Web Services (AWS) offers a wide range of API calls that allow users to control and manage their resources. However, some of these API calls are considered to be high privilege or disruptive, meaning that they can have a significant impact on your AWS account if used incorrectly.

In this blog post, I will provide a list of all the high privilege and disruptive AWS API calls. I will also discuss the risks associated with using these API calls and how to mitigate those risks.

High Privilege and Disruptive API Calls

High privilege API calls are those that allow users to perform actions that can have a significant impact on their AWS account. For example, these API calls can be used to create, delete, or modify account contact information.

Disruptive API calls are those that can cause significant disruption to your AWS account if used incorrectly. For example, these API calls can be used to stop or start services, or to disable or enable features.

Some of the most common high privilege and disruptive API calls include:

  • iam:DeleteUser – Allows users to delete IAM users.
  • iam:ChangePassword – Allows users to change the password for an IAM user.
  • iam:UpdateUser – Alows users to update the properties of an IAM user.
  • ec2:RunInstances – Allows users to launch new EC2 instances.
  • ec2:TerminateInstances – Allows users to terminate EC2 instances.
  • s3:CreateBucket – Allows users to create new S3 buckets.
  • s3:DeleteBucket – Allows users to delete S3 buckets.
  • DeleteAccount – Closes an AWS account.
  • UpdateAccountAttributes – Updates the attributes of an AWS account.
  • CreateAlternateContact – Adds an alternate contact to an AWS account.
  • DeleteAlternateContact – Removes an alternate contact from an AWS account.
  • PutAlternateContact – Updates the information for an alternate contact.
  • DisassociateContact – Disassociates an IAM user from an AWS account.
  • LeaveOrganization – Leaves an AWS organization.
  • DeleteOrganization – Deletes an AWS organization.
  • DeleteOrganizationalUnit – Deletes an OU within an AWS organization.
  • DisableMFADevice – Disables MFA for an IAM user.
  • DeleteMFADevice – Deletes an MFA device for an IAM user.
  • DeleteVirtualMFADevice – Deletes a virtual MFA device for an IAM user.
  • ec2:StopInstances – This API call allows users to stop EC2 instances.
  • rds:StopDBInstance – This API call allows users to stop RDS instances.
  • s3:PauseBucket – This API call allows users to pause S3 buckets.
  • s3:ResumeBucket – This API call allows users to resume S3 buckets.
  • cloudfront:DisableDistribution – This API call allows users to disable CloudFront distributions.

Here is a complete list

CreateAccount
CreateUser
CreateAccessKey
CreatePolicy
AttachRolePolicy
CreateRole
UpdateAssumeRolePolicy
DeleteUser
DeleteAccessKey
DeletePolicy
DetachRolePolicy
DeleteRole
CreateServiceLinkedRole
DeleteServiceLinkedRole
PutUserPolicy
GetUserPolicy
DeleteUserPolicy
AttachUserPolicy
DetachUserPolicy
PutRolePolicy
GetRolePolicy
DeleteRolePolicy
PutGroupPolicy
GetGroupPolicy
DeleteGroupPolicy
AttachGroupPolicy
DetachGroupPolicy
ListAccountAliases
GetAccountSummary
GetAccountAuthorizationDetails
ListUsers
GetUser
ListAccessKeys
GetAccessKeyLastUsed
ListAttachedUserPolicies
ListAttachedRolePolicies
ListAttachedGroupPolicies
ListMFADevices
GetUserMFADevice
ListRoles
GetRole
ListRolePolicies
ListInstanceProfiles
GetInstanceProfile
ListPolicies
GetPolicy
ListPolicyVersions
GetPolicyVersion
ListAttachedRolePolicyVersions
ListAttachedUserPolicyVersions
ListAttachedGroupPolicyVersions
GetPolicySummary
GenerateServiceLastAccessedDetails
GenerateServiceSpecificCredentials
SimulatePrincipalPolicy
CreatePolicyVersion
DeletePolicyVersion
CreatePolicyGroup
DeletePolicyGroup
AddUserToGroup
RemoveUserFromGroup
ListGroupsForUser
ListGroups
GetLoginProfile
CreateLoginProfile
UpdateLoginProfile
DeleteLoginProfile
SetDefaultPolicyVersion
EnableMFADevice
DisableMFADevice
DeactivateMFADevice
ReactivateMFADevice
GetContextKeysForPrincipalPolicy
UpdateUser
UpdateAccessKey
CreateGroup
UpdateGroup
DeleteGroup
UpdateRole
AssumeRole
UpdatePolicy
CreateInstanceProfile
UpdateInstanceProfile
DeleteInstanceProfile
AddRoleToInstanceProfile
RemoveRoleFromInstanceProfile
GetPasswordData
GetSecretValue
GenerateDbAuthToken
ListAccountMFADevices
ListAccountTags
ListAccountUsers
CreateServiceSpecificCredential
ResetServiceSpecificCredential
lightsail:GetInstanceAccessDetails
lightsail:GetRelationalDatabaseMasterUserPassword
rds-db:connect
redshift:GetClusterCredentials
sso:GetRoleCredentials
mediapackage:RotateChannelCredentials
mediapackage:RotateIngestEndpointCredentials
sts:AssumeRole
sts:AssumeRoleWithSaml
sts:AssumeRoleWithWebIdentity
sts:GetFederationToken
sts:GetSessionToken
chime:CreateApiKey
codepipeline:PollForJobs
cognito-identity:GetOpenIdToken
cognito-identity: GetOpenIdTokenForDeveloperIdentity
cognito-identity: GetCredentialsForIdentity
connect:GetFederationToken
connect:GetFederationTokens
ecr:GetAuthorizationToken
gamelift:RequestUploadCredentials
DeleteAccount
ec2:StopInstances
ec2:TerminateInstances
rds:StopDBInstance
rds:DeleteDBInstance
DeleteBucket
DeleteObject
PutBucketReplication
DeleteReplicationConfiguration
PutBucketPolicy
DeleteBucketPolicy
PutObjectAcl
DeleteObjectAcl
PutObjectRetention
DeleteObjectRetention
PutObjectTagging
DeleteObjectTagging
PutBucketVersioning
DeleteBucketVersioning
DeleteObjectVersion
DeleteObjects
PutObjectLegalHold
DeleteObjectLegalHold
CreateBucket
DeleteBucketCors
PutBucketCors
DeleteBucketWebsiteConfiguration
PutBucketWebsiteConfiguration
DeleteBucketReplicationConfiguration
GetBucketReplicationConfiguration
GetBucketPolicy
GetObjectAcl
GetObjectRetention
GetObjectTagging
GetObjectVersion
GetBucketVersioning
GetObjectLegalHold
GetBucketCors
GetBucketWebsiteConfiguration
TerminateInstances
StopDBInstance
DeleteDBInstance


AWS updates API calls often. Here are AWS API calls reference links to understand better about each API call.

IAM – https://docs.aws.amazon.com/IAM/latest/APIReference/welcome.html
EC2 – https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Welcome.html
AWS CLI – https://docs.aws.amazon.com/cli/latest/

Risks Associated with High Privilege and Disruptive API Calls

The use of high privilege and disruptive API calls can pose a number of risks to your AWS account, including:

  • Data loss: If a malicious actor gains access to your AWS account and uses a high privilege API call to delete or modify your data, you could lose important data.
  • Service disruption: If a malicious actor or disgruntled insider uses a disruptive API call to stop or disable a service, you could experience service disruption.
  • Financial loss: If a malicious actor or an insider uses a high privilege API call to make unauthorized purchases, you could suffer financial losses.

How to Mitigate Risks

There are a number of steps you can take to mitigate the risks associated with high privilege and disruptive API calls, including:

  • Use IAM roles and permissions to restrict access to these API calls: IAM roles and permissions allow you to control who has access to which API calls. This can help to prevent unauthorized users from using these API calls.
  • Use CloudTrail to monitor API calls: CloudTrail allows you to track all API calls that are made to your AWS account. This can help you to identify any unauthorized or suspicious API calls.
  • Use AWS Shield to protect your account from DDoS attacks: AWS Shield can help to protect your account from DDoS attacks, which can be used to disrupt your services or make unauthorized API calls.

Creating Alerts and Reports in Security Solutions

To enhance your AWS security posture, it’s crucial to implement proactive monitoring and alerts for high privilege and disruptive API calls. Below are steps to create alerts and reports in common security solutions:

  1. AWS CloudTrail: CloudTrail enables you to capture and log AWS API calls, providing visibility into the actions performed on your AWS resources. By configuring CloudTrail, you can set up alerts for specific API calls and generate reports based on the collected logs. Here’s a link for creating a CloudWatch Events Rule That Triggers on an Event
  2. AWS Config: AWS Config allows you to assess, audit, and evaluate the configurations of your AWS resources. By leveraging AWS Config Rules, you can create custom rules to monitor and detect specific API calls that pose risks to your infrastructure. Refer to the AWS Config documentation for more information for Creating AWS Config Rules

Leave a comment

Create a website or blog at WordPress.com

Up ↑