Possible privilege escalation via AWS login profile manipulation

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect a user or role attempting to create or update the password for a specified IAM user.

Strategy

This rule allows you to monitor CloudTrail and detect if an attacker has attempted to create or update a password for an IAM user using the CreateLoginProfile or UpdateLoginProfile API calls respectively.

Triage and response

  1. Determine if {{@userIdentity.session_name}} should have made a {{@evt.name}} API call.
  2. If the API call was not made by the user:
  • Rotate user credentials.
  • Determine what other API calls were made by the user.
  • Remove any passwords generated by the user with the aws-cli command delete-login-profile or use the AWS Console.
  1. If the API call was made by the user:
  • Determine if the user should be performing this API call.
  • If No, see if other API calls were made by the user and determine if they warrant further investigation.

ChangeLog

27 June 2023 - Updated rule query, name, case, goal and strategy to reflect login profile creation and login profile update.