Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detect when a AWS consoler is seen in AWS CloudTrail logs.
Strategy
This rule monitors AWS CloudTrail logs for the GetCallerIdentity API call with the parameter aws_consoler. AWS consoler is a tool that converts AWS CLI credentials into AWS console access. While this tool can be used legitimately by teams, it may also be used by attackers to gain access to a victim’s console.
Triage and response
- Determine if your organization is using the AWS consoler.
- If it is an internal tool, notify the relevant team so that the leaked key can be triaged appropriately.
- If the results of the triage indicate that this tool is not used by your organization, begin your company’s incident response process and an investigation.
- If appropriate, disable or rotate the affected credential.
- Investigate any actions taken by the identity
{{@userIdentity.arn}}. - Work with the relevant teams to remove the key from any source code repositories.
