What is an indicator of an AWS-based security incident?

An unusual API call request from S3 is indeed a strong indicator of a potential security incident in an AWS environment. Such API calls can signify malicious activity, such as unauthorized access attempts, data exfiltration, or attempts to manipulate stored data. Monitoring API calls is essential because they can reveal patterns that deviate from typical usage, which might indicate a breach or other security threat.

While increased read requests on RDS may indicate normal usage growth or performance issues, it doesn't inherently signal a security incident. Similarly, frequent logins from unfamiliar IP addresses, though concerning, may not directly indicate a compromise if they are legitimate access attempts (e.g., by remote administrators or users). Finally, unexpected CPU usage on EC2 instances can result from various causes, including legitimate increased workloads or application issues, rather than being a definitive indicator of a security incident without additional context. In contrast, unusual API calls provide more direct evidence of potential malicious behavior, making it a key flag for incident response teams to investigate further.