EnableRegion
AWS
EnableRegion
Event
Enables a previously disabled AWS region for the account, making its services available for use.
Security Context
- This action can establish persistent access mechanisms that survive credential rotation and remain active until explicitly discovered and removed.
Log Source
CloudTrail
Sample Event
Adversarial. Draco enables ap-east-1 (Hong Kong) — an opt-in region the org has never used and has no detective controls in. Once enabled, he can spin up EC2 / Lambda infrastructure there knowing the SOC’s CloudWatch/GuardDuty footprint is us-east-1 / us-west-2 / eu-west-1 only. T1535 (Unused/Unsupported Cloud Regions) + T1578 (Modify Cloud Compute Infrastructure).
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco" }, "eventTime": "2026-04-15T20:54:33Z", "eventSource": "account.amazonaws.com", "eventName": "EnableRegion", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": { "regionName": "ap-east-1" }, "responseElements": null, "requestID": "90000000-0000-4000-8000-000100110110", "eventID": "90000000-0000-4000-8000-000100110111", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "account.us-east-1.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Stealth Defense Impairment Persistence
Techniques:
- T1535 — Unused/Unsupported Cloud Regions — Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure.
- T1578 — Modify Cloud Compute Infrastructure — An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.