<  Back to rules search

A user received multiple AccessDenied errors

cloudtrail

Tactic:

TA0007-discovery

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect when a user is assessing privileges in AWS through API bruteforcing technique.

Strategy

This rule lets you monitor CloudTrail to detect when the error message of AccessDenied is returned on more than 5 unique API calls.

Triage and response

  1. Determine if {{@userIdentity.arn}} should be attempting to use {{@evt.name}} API commands.
    • Use the Cloud SIEM - User Investigation dashboard to assess user activity.
  2. Contact the user to see if they intended to make these API calls.
  3. If the user did not make the API calls:
    • Rotate the credentials.
    • Investigate to see what API calls might have been made that were successful throughout the rest of the environment.

Changelog

  • 3 March 2022 - Updated rule.
  • 6 January 2023 - Updated tags.