Invitation sent to account to join AWS organization

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when there is an attempt to invite an AWS account to an AWS organization.

Strategy

This rule allows you to monitor CloudTrail and detect if an attacker has attempted to invite an AWS account to an AWS organization. An attacker may attempt add an attacker controlled AWS account to a compromised AWS organization to evade the existing defenses of the organization.

This operation can be called only from the organization’s management account.

Triage and response

  1. Determine if {{@userIdentity.arn}} should have made a {{@evt.name}} API call.
    • Refer to @requestParameters.target.id to retrieve the account invited. This maybe in the form of an AWS account ID or email address.
    • Attempt to confirm the action either with the identity making the change or search for a ticket associated with the change.
    • Investigate other activities performed by the identity {{@userIdentity.arn}} using the Cloud SIEM - User Investigation dashboard.
  2. If the API call does not appear to be legitimate, begin your organization’s incident response process and investigate.