AWS VPC created or modified
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detect when an attacker is destroying a VPC.
Strategy
This rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a VPC:
Triage and response
- Determine if
{{@userIdentity.arn}}
is expected to perform the {{@evt.name}}
API call on the account: {{@userIdentity.accountId}}
. - Contact the principal owner and see if this was an API call that was made by the user.
- If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.
- Rotate the credentials.
- Investigate if the same credentials made other unauthorized API calls.
Changelog
7 April 2022 - Updated rule query, cases and signal message.