Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0695: Analytic 0695

Detects adversarial use of cloud-native APIs (e.g., AWS IAM, Azure RBAC, GCP Identity) to enumerate cloud group memberships or policy mappings via unauthorized sessions or scripts.

EnterpriseAN0695AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because cloud identity and authorization data can reveal who has access to what. Enumeration of cloud group memberships or policy mappings through AWS IAM, Azure RBAC, GCP Identity, or similar cloud-native APIs can help an intruder understand privilege paths before attempting broader access. For leaders, the key question is whether the organization can see and investigate unusual identity-enumeration activity in IaaS environments, especially when it occurs through unauthorized sessions or automation scripts.

Executive priority

Prioritize this as a cloud identity visibility and incident-readiness issue. If defenders cannot distinguish normal administrative inventory from suspicious API-driven enumeration, incident responders may lose early warning of identity abuse and cloud privilege discovery. This should inform cloud logging budgets, IAM governance, SOC use-case validation, and audit evidence for monitoring privileged access activity.

Technical view

Validate whether cloud control-plane/API logs capture calls related to group membership, role assignment, policy, and identity mapping enumeration across supported IaaS environments. Because MITRE provides no official detection logic and no tactic mapping for this analytic, SOC teams should build environment-specific baselines for legitimate administrators, service accounts, automation, and inventory tools, then alert on unusual principals, unauthorized sessions, unexpected source locations, abnormal API volume, or scripts querying identity and authorization relationships.

Likely telemetry

  • Cloud control-plane/API audit logs for IAM, RBAC, identity, group, role, and policy queries
  • Authentication and session records for cloud users, roles, service principals, and temporary credentials
  • Cloud identity provider logs showing principal, source, user agent, and session context
  • Administrative activity logs from approved cloud inventory, governance, and automation tooling
  • SOC case context linking identity enumeration to prior unauthorized or anomalous session activity

Detection direction

  • Confirm that IaaS identity and authorization enumeration events are logged with principal, API action, source, timestamp, user agent, and session attributes.
  • Separate expected administrative discovery from suspicious behavior by baselining cloud administrators, CI/CD jobs, governance tools, and inventory scanners.
  • Tune for unauthorized or unusual sessions, scripted access patterns, high-volume enumeration, new principals performing identity discovery, or access from unexpected networks or locations.
  • Review false positives from legitimate compliance audits, access reviews, posture-management tools, and migration scripts.
  • Because no relationship context or official detection logic is supplied, avoid assuming technique coverage; validate against local cloud services and logging configurations.

Mitigation priorities

  • Ensure cloud audit logging is enabled and retained for identity, role, group, and policy-mapping API activity.
  • Apply least privilege so users, roles, and service principals cannot enumerate identity and authorization data beyond business need.
  • Review and govern automation accounts that legitimately query cloud identity data.
  • Strengthen session governance, including monitoring of temporary credentials and unauthorized or anomalous sessions.
  • Test incident response playbooks for suspected cloud identity enumeration so responders can quickly assess affected principals and downstream privilege risk.
Analyst notes and limits

This object is a MITRE ATT&CK detection analytic for IaaS platforms. It describes detection of adversarial use of cloud-native APIs to enumerate cloud group memberships or policy mappings, but it does not include official detection logic, tactics, aliases, labels, or relationship context. Defensive value therefore depends on local cloud logging, identity architecture, and knowledge of legitimate administrative workflows.

The supplied ATT&CK fields do not provide specific API names, event IDs, detection pseudocode, mapped techniques, tactics, mitigations, adversary use, or related objects. Any implementation must be validated against the organization’s actual AWS, Azure, GCP, or other IaaS telemetry and approved administrative behavior.

Official MITRE ATT&CK definition

Analytic 0695

Detects adversarial use of cloud-native APIs (e.g., AWS IAM, Azure RBAC, GCP Identity) to enumerate cloud group memberships or policy mappings via unauthorized sessions or scripts.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
9b3103682e62035f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 9b3103682e62…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0695
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use