MITRE ATT&CK Technique
Description
An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services. Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a <code>DescribeInstances</code> API within the Amazon EC2 API that can return information about one or more instances within an account, the <code>ListBuckets</code> API that returns a list of all buckets owned by the authenticated sender of the request, the <code>HeadBucket</code> API to determine a bucket’s existence along with access permissions of the request sender, or the <code>GetPublicAccessBlock</code> API to retrieve access block configuration for a bucket.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block)(Citation: AWS Head Bucket) Similarly, GCP's Cloud SDK CLI provides the <code>gcloud compute instances list</code> command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command <code>az vm list</code> lists details of virtual machines.(Citation: Microsoft AZ CLI) In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003).(Citation: Malwarebytes OSINT Leaky Buckets - Hioureas) An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as <code>DescribeDBInstances</code> to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-08-20T17:51:25.671Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'An adversary may attempt to discover infrastructure and '
'resources that are available within an '
'infrastructure-as-a-service (IaaS) environment. This includes '
'compute service resources such as instances, virtual '
'machines, and snapshots as well as resources of other '
'services including the storage and database services.\n'
'\n'
'Cloud providers offer methods such as APIs and commands '
'issued through CLIs to serve information about '
'infrastructure. For example, AWS provides a '
'<code>DescribeInstances</code> API within the Amazon EC2 API '
'that can return information about one or more instances '
'within an account, the <code>ListBuckets</code> API that '
'returns a list of all buckets owned by the authenticated '
'sender of the request, the <code>HeadBucket</code> API to '
'determine a bucket’s existence along with access permissions '
'of the request sender, or the '
'<code>GetPublicAccessBlock</code> API to retrieve access '
'block configuration for a bucket.(Citation: Amazon Describe '
'Instance)(Citation: Amazon Describe Instances API)(Citation: '
'AWS Get Public Access Block)(Citation: AWS Head Bucket) '
"Similarly, GCP's Cloud SDK CLI provides the <code>gcloud "
'compute instances list</code> command to list all Google '
'Compute Engine instances in a project (Citation: Google '
"Compute Instances), and Azure's CLI command <code>az vm "
'list</code> lists details of virtual machines.(Citation: '
'Microsoft AZ CLI) In addition to API commands, adversaries '
'can utilize open source tools to discover cloud storage '
'infrastructure through [Wordlist '
'Scanning](https://attack.mitre.org/techniques/T1595/003).(Citation: '
'Malwarebytes OSINT Leaky Buckets - Hioureas)\n'
'\n'
'An adversary may enumerate resources using a compromised '
"user's access keys to determine which are available to that "
'user.(Citation: Expel IO Evil in AWS) The discovery of these '
'available resources may help adversaries determine their next '
'steps in the Cloud environment, such as establishing '
'Persistence.(Citation: Mandiant M-Trends 2020)An adversary '
'may also use this information to change the configuration to '
'make the bucket publicly accessible, allowing data to be '
'accessed without authentication. Adversaries have also may '
'use infrastructure discovery APIs such as '
'<code>DescribeDBInstances</code> to determine size, owner, '
'permissions, and network ACLs of database resources. '
'(Citation: AWS Describe DB Instances) Adversaries can use '
'this information to determine the potential value of '
'databases and discover the requirements to access them. '
'Unlike in [Cloud Service '
'Discovery](https://attack.mitre.org/techniques/T1526), this '
'technique focuses on the discovery of components of the '
'provided services rather than the services themselves.',
'external_references': [{'external_id': 'T1580',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1580'},
{'description': 'A. Randazzo, B. Manahan and S. '
'Lipton. (2020, April 28). Finding '
'Evil in AWS. Retrieved June 25, '
'2020.',
'source_name': 'Expel IO Evil in AWS',
'url': 'https://expel.io/blog/finding-evil-in-aws/'},
{'description': 'Amazon Web Services. (n.d.). AWS '
'HeadBucket. Retrieved February 14, '
'2022.',
'source_name': 'AWS Head Bucket',
'url': 'https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html'},
{'description': 'Amazon Web Services. (n.d.). '
'Retrieved May 28, 2021.',
'source_name': 'AWS Get Public Access Block',
'url': 'https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetPublicAccessBlock.html'},
{'description': 'Amazon Web Services. (n.d.). '
'Retrieved May 28, 2021.',
'source_name': 'AWS Describe DB Instances',
'url': 'https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html'},
{'description': 'Amazon. (n.d.). '
'describe-instance-information. '
'Retrieved March 3, 2020.',
'source_name': 'Amazon Describe Instance',
'url': 'https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html'},
{'description': 'Amazon. (n.d.). DescribeInstances. '
'Retrieved May 26, 2020.',
'source_name': 'Amazon Describe Instances API',
'url': 'https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html'},
{'description': 'Google. (n.d.). gcloud compute '
'instances list. Retrieved May 26, '
'2020.',
'source_name': 'Google Compute Instances',
'url': 'https://cloud.google.com/sdk/gcloud/reference/compute/instances/list'},
{'description': 'Mandiant. (2020, February). M-Trends '
'2020. Retrieved November 17, 2024.',
'source_name': 'Mandiant M-Trends 2020',
'url': 'https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf'},
{'description': 'Microsoft. (n.d.). az ad user. '
'Retrieved October 6, 2019.',
'source_name': 'Microsoft AZ CLI',
'url': 'https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest'},
{'description': 'Vasilios Hioureas. (2019, September '
'13). Hacking with AWS: incorporating '
'leaky buckets into your OSINT '
'workflow. Retrieved February 14, '
'2022.',
'source_name': 'Malwarebytes OSINT Leaky Buckets - '
'Hioureas',
'url': 'https://blog.malwarebytes.com/researchers-corner/2019/09/hacking-with-aws-incorporating-leaky-buckets-osint-workflow/'}],
'id': 'attack-pattern--57a3d31a-d04f-4663-b2da-7df8ec3f8c9d',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'discovery'}],
'modified': '2025-10-24T17:48:49.479Z',
'name': 'Cloud Infrastructure Discovery',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Regina Elwell',
'Praetorian',
'Isif Ibrahima, Mandiant'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['IaaS'],
'x_mitre_version': '1.3'}