Impossible travel event leads to permission enumeration

aws

Classification:

attack

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Correlate an impossible travel login with permission enumeration of a user.

Strategy

Correlate the User travel was impossible in AWS CloudTrail IAM log and A user received multiple AccessDenied errors signals based on the ARN: {{@userIdentity.arn}}.

Triage and response

  1. Set signal triage state to Under Review.
  2. Determine if the impossible travel login was is legitimate.
    • If the login was not legitimate:
      • Investigate the user using the User Investigation Dashboard
      • Rotate credentials on the account
      • Enable MFA if it is not already enabled
    • If the login was legitimate:
      • Triage the signal as a false positive