AWS IAM activity from EC2 instance
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detect when an AWS EC2 instance role makes API calls to AWS IAM.
Strategy
This rule lets you monitor CloudTrail to detect when an AWS EC2 instance role makes certain API calls to IAM. An attacker who has managed to retrieve temporary access keys assigned to a EC2 instance may try to retain access or escalate privileges by the making the following API calls:
- CreateUser
- AttachUserPolicy
- CreateLoginProfile
- UpdateLoginProfile
- CreateAccessKey
- CreateGroup
- AttachGroupPolicy
- CreateRole
- AttachRolePolicy
Triage and response
- Determine if
{{@userIdentity.session_name}}
should be attempting to make the identified API calls.
- Use the Cloud SIEM - Host Investigation dashboard to assess host activity.
- Contact the team that owns the service the host is part of, to confirm it should make these API calls.
- If this is abnormal behavior for the host:
- Revoke role temporary credentials.
- Investigate to see what API calls might have been made that were successful throughout the rest of the environment.