<  Back to rules search

AWS AMI Made Public

cloudtrail

Classification:

attack

Tactic:

TA0010-exfiltration

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect when an AMI is made public.

Strategy

This rule lets you monitor these CloudTrail API calls to detect if an AMI is made public.

This rule inspects the @requestParameters.launchPermission.add.items.group array to determine if the string all is contained. This is the indicator which means the image is made public.

Triage and response

  1. Determine if the AMI (@requestParameters.imageId) should be made public using CloudTrail logs.
  2. Investigate the following ARN ({{@userIdentity.arn}}) that made the AMI public.
  3. Contact the user to see if they intended to make the image public.
  4. If the user did not make the API call:
    • Rotate the credentials.
    • Investigate if the same credentials made other unauthorized API calls.
    • Revert AMI permissions to the original state.
    • Begin your company’s IR process and investigate.

Changelog

11 November 2022 - Add steps to Triage and response section.