Datadog Security Research discovered that the AWS API resource-explorer-2:ListResources could be used by attackers to quietly enumerate resources because it was logged as a data event and not recorded in CloudTrail by default. After disclosure, AWS reclassified ListResources as a management event to ensure it is logged to CloudTrail by default. #ResourceExplorer #ListResources
Keypoints
- Datadog reported that resource-explorer-2:ListResources did not log to CloudTrail by default, enabling stealthy resource enumeration.
- AWS acknowledged the report on April 24, 2025, and implemented a fix that reclassified ListResources as a management event on July 15, 2025.
- Resource Explorer uses a service-linked role (AWSServiceRoleForResourceExplorer) to index resources, allowing attackers to proxy enumeration through the service and disassociate activity from compromised identities.
- Before the change, ListResources returned the default indexed view containing most account resources, making a single call sufficient for extensive enumeration.
- Mitigations include blocking the service with a Service Control Policy (resource-explorer-2:*) or alerting on resource-explorer-2:CreateIndex and ListResources calls, especially those using long-lived access keys.
- Datadog provided Cloud SIEM rules to detect potential abuse, focusing on calls from long-lived credentials which are common in compromises.
- AWS issued a Health event notifying customers of the CloudTrail classification change and advising updates to trail configurations and dependent systems.
MITRE Techniques
- [T1083] File and Directory Discovery – Resource Explorer indexes resources across the account and returns them via ListResources, enabling discovery (“…list your AWS resources that are indexed by Resource Explorer across services, AWS Regions, and AWS accounts…”).
- [T1087] Account Discovery – Attackers can enumerate IAM users, roles, and other account resources using resource-explorer-2:ListResources to learn about identities and accounts (“…you can explore your resources, such as Amazon Elastic Compute Cloud instances… or Amazon DynamoDB tables…”).
- [T1526] Cloud Service Discovery – Resource Explorer’s indexing and search functionality allows discovery of cloud resources across regions and accounts by querying the service index (“…Resource Explorer begins discovering the resources in this Region and stores the details about the resources in the index so that they can be queried by using the Search operation.”).
- [T1574] Hijack Execution Flow (service role misuse) – Because Resource Explorer uses a service-linked role (AWSServiceRoleForResourceExplorer) to index resources, adversaries can leverage the service to proxy enumeration and hide their direct API calls (“…it uses a service-linked role named AWSServiceRoleForResourceExplorer that regularly enumerates AWS resources in the account and adds them to an index.”).
- [T1078] Valid Accounts – The guidance to alert on long-lived access keys reflects attackers using stolen long-lived credentials to call CreateIndex or ListResources (“…a resource-explorer-2:CreateIndex API call that uses long-lived access keys has an increased chance of being from a threat actor.”).
Indicators of Compromise
- [API Call ] Resource enumeration via Resource Explorer – resource-explorer-2:ListResources, resource-explorer-2:CreateIndex
- [IAM Role ] service-linked role used to index resources – AWSServiceRoleForResourceExplorer
- [Configuration ] CloudTrail logging classification change context – Data event previously for ListResources, now Management event (no direct IPs or hashes provided)
- [Policy ] Service Control Policy example blocking Resource Explorer – “resource-explorer-2:*” (SCP JSON snippet)