{
	"id": "350c0d1e-d674-4bf2-b738-1cceb1f9c315",
	"created_at": "2026-04-06T00:09:14.454735Z",
	"updated_at": "2026-04-10T03:22:11.095761Z",
	"deleted_at": null,
	"sha1_hash": "545a1e8fe3d8adfb89ae826555bd5004bf6f4ba6",
	"title": "The Danger of Unused AWS Regions",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 499740,
	"plain_text": "The Danger of Unused AWS Regions\r\nBy CloudSploit\r\nPublished: 2019-06-08 · Archived: 2026-04-05 18:41:26 UTC\r\nPress enter or click to view image in full size\r\nFrom: https://aws.amazon.com/about-aws/global-infrastructure/\r\nI’ll never forget one of the emails the we received in our support inbox at CloudSploit several months ago. An\r\nAWS user had emailed in desperation after finding over 50 EC2 instances running in the ap-northeast-1 region of\r\nhis AWS account. He discovered these instances after his bill was thousands of dollars higher than the previous\r\nmonth. Based on the CPU utilization and some initial analysis, it appeared the instances were being used to mine\r\nBitcoin 24/7.\r\nWhile AWS ultimately refunded a large portion of his bill, the fact that someone had gained access to his account,\r\ndeployed scores of resources, and racked up thousands of dollars in fees over the course of a month speaks\r\nstrongly to the need for security monitoring in all AWS regions, not just the ones in active use. This is something\r\nCloudSploit stresses to its users when they ask if they can suppress our security scans in inactive regions.\r\nWhy Lock the Backdoor If You Never Use It?\r\nIf you have a security system for your home, would you only monitor the rooms you spend the most time in?\r\nImagine not locking the back door because no one goes around that side of the house. If you’ve deployed security\r\ntools (even AWS’s built-in tools like CloudTrail or ConfigService) only in the regions in which you have\r\nresources, you are failing to monitor perhaps the riskiest part of your infrastructure.\r\nGet CloudSploit’s stories in your inbox\r\nhttps://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc\r\nPage 1 of 6\n\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThis failure in security monitoring is something cloud attackers have been capitalizing on for years. If the goal is\r\nto remain undetected, what better way to do that than to deploy compromised resources in places where no one is\r\nlooking? With a bit of careful capacity planning to avoid usage or billing spikes, an attacker could go undetected\r\nfor months.\r\nMonitoring Unused Regions with CloudTrail\r\nInfrastructure and security teams have numerous ways to fight back. First and foremost, every security tool must\r\nbe deployed in all regions, not just those that are in use. Fortunately, AWS provides easy configuration options to\r\nenable its built-in tools like CloudTrail to monitor all regions.\r\nPress enter or click to view image in full size\r\nEnable CloudTrail in All AWS Regions\r\nDeactivate Unused Region Endpoints\r\nIt’s a little-known and little-used setting, but AWS allows you to disable the ability for users to generate STS\r\ncredentials in unused regions. This page is accessible from the IAM console.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc\r\nPage 2 of 6\n\nDeactivate STS Endpoints in Unused Regions\r\nDon’t Enable New Regions Unless Required\r\nAWS appears to have noticed the issue presented by unused regions and, beginning with the new ap-east-1 (Hong\r\nKong) region, have disabled the region by default. If you attempt to create resources in it, you’ll be asked to\r\nenable the region.\r\nPress enter or click to view image in full size\r\nAvoid Enabling Regions Unless You Plan to Use Them\r\nMonitor for Regional Activity\r\nIt’s paramount that any activity in unused regions is quickly detected. There are many tools, such as Splunk, that\r\ncan ingest CloudTrail logs and alert based on region. Additionally, CloudSploit has added a number of features\r\nthat help detect this activity.\r\nIn our open-source scans, we have a plugin called “EC2 Max Count” which counts the number of running\r\ninstances in a region and alerts if it exceeds a configurable threshold. In unused regions, this threshold can be set\r\nhttps://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc\r\nPage 3 of 6\n\nto “0.”\r\nPress enter or click to view image in full size\r\nCloudSploit’s Scans Detect Instance Counts in All Regions\r\nOur Real-Time Events service also allows you to define unused regions and receive alerts within seconds of\r\nactivity being detected.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc\r\nPage 4 of 6\n\nConclusion\r\nAWS’s growing global footprint means that account operators and security teams need to be more vigilant than\r\never when it comes to monitoring accounts for potential malicious activity. With a few configuration tweaks and\r\nmonitoring tools, detecting activity in these regions is quite simple and can greatly improve the account security\r\nposture.\r\nCloudSploit is a provider of open source, free, and paid hosted SaaS solutions for cloud security monitoring.\r\nhttps://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc\r\nPage 5 of 6\n\nSource: https://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc\r\nhttps://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc"
	],
	"report_names": [
		"the-danger-of-unused-aws-regions-af0bf1b878fc"
	],
	"threat_actors": [],
	"ts_created_at": 1775434154,
	"ts_updated_at": 1775791331,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/545a1e8fe3d8adfb89ae826555bd5004bf6f4ba6.pdf",
		"text": "https://archive.orkl.eu/545a1e8fe3d8adfb89ae826555bd5004bf6f4ba6.txt",
		"img": "https://archive.orkl.eu/545a1e8fe3d8adfb89ae826555bd5004bf6f4ba6.jpg"
	}
}