AWS AMI Made Public

cloudtrail

Classification:

attack

Tactic:

TA0010-exfiltration

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when an AMI is made public.

Strategy

This rule lets you monitor these CloudTrail API calls to detect if an AMI is made public.

This rule inspects the @requestParameters.launchPermission.add.items.group array to determine if the string all is contained. This is the indicator which means the image is made public.

Triage and response

  1. Determine if the AMI (@requestParameters.imageId) should be made public using CloudTrail logs.
  2. Investigate the following ARN ({{@userIdentity.arn}}) that made the AMI public.
  3. Contact the user to see if they intended to make the image public.
  4. If the user did not make the API call:
    • Rotate the credentials.
    • Investigate if the same credentials made other unauthorized API calls.
    • Revert AMI permissions to the original state.
    • Begin your company’s IR process and investigate.

Changelog

11 November 2022 - Add steps to Triage and response section.