Title:AWS EnableRegion Command Monitoring Status:experimental Description:Detects the use of the EnableRegion command in AWS CloudTrail logs.
While AWS has 30+ regions, some of them are enabled by default, others must be explicitly enabled in each account separately.
There may be situations where security monitoring does not cover some new AWS regions.
Monitoring the EnableRegion command is important for identifying potential persistence mechanisms employed by adversaries, as enabling additional regions can facilitate continued access and operations within an AWS environment.
References: -https://docs.aws.amazon.com/accounts/latest/reference/API_EnableRegion.html -https://awscli.amazonaws.com/v2/documentation/api/2.14.0/reference/account/enable-region.html Author: Ivan Saakov, Sergey Zelenskiy Date: 2025-10-19 modified:None Tags:
-'attack.persistence'
Logsource:
product: aws
service: cloudtrail
Detection: selection: eventName:
'EnableRegion' eventSource:
'account.amazonaws.com' condition:selection Falsepositives:
-Legitimate use of the EnableRegion command by authorized administrators. Level:medium
