EnableRegion
Event
Enables a previously disabled AWS region for the account, making its services available for use.
Security Context
- This action can establish persistent access mechanisms that survive credential rotation and remain active until explicitly discovered and removed.
Log Source
CloudTrail
Sample Event
MITRE ATT&CK Mapping
Tactics: Defense Evasion Persistence
Techniques:
- T1535 — Unused/Unsupported Cloud Regions — Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure.
- T1578 — Modify Cloud Compute Infrastructure — An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.