このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detect when a AWS consoler is seen in AWS CloudTrail logs.
Strategy
This rule monitors AWS CloudTrail logs for the GetCallerIdentity API call with the parameter aws_consoler. AWS consoler is a tool that converts AWS CLI credentials into AWS console access. While this tool can be used legitimately by teams, it may also be used by attackers to gain access to a victim’s console.
Triage and response
- Determine if your organization is using the AWS consoler.
- If it is an internal tool, notify the relevant team so that the leaked key can be triaged appropriately.
- If the results of the triage indicate that this tool is not used by your organization, begin your company’s incident response process and an investigation.
- If appropriate, disable or rotate the affected credential.
- Investigate any actions taken by the identity
{{@userIdentity.arn}}. - Work with the relevant teams to remove the key from any source code repositories.
