AWS Disable Cloudtrail with event selectors
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detect when CloudTrail has been disabled by creating an event selector on the Trail.
Strategy
This rule lets you monitor CloudTrail and detect if an attacker used the PutEventSelectors
API call to filter out management events, effectively disabling CloudTrail for the specified Trail.
See the public Proof of Concept (PoC) for this attack.
Triage and response
- Determine if
{{@userIdentity.arn}}
should have made the {{@evt.name}}
API call. - If the API call was not made legitimately by the user:
- Rotate user credentials.
- Determine what other API calls were made by the user.
- Remove the event selector using the
aws-cli
command put-event-selectors
or use the AWS console to revert the event selector back to the last known good state.
- If the API call was made legitimately by the user:
- Determine if the user was authorized to make that change.
- If Yes, work with the user to ensure that CloudTrail logs for the affected account
{{@userIdentity.accountId}}
are being sent to the Datadog platform. - If No, remove the event selector using the
aws-cli
command put-event-selectors
or reference the AWS console documentation to revert the event selector back to the last known good state.
Changelog
- 17 October 2022 - Updated tags.