AWS security group created, modified or deleted

cloudtrail

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when an AWS security group has been modified.

Strategy

Monitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:

Note: There is a separate rule to detect AWS Security Group Open to the World.

Triage and response

  1. Determine who the user was who made this API call.
  2. Contact the user and see if this was an API call which was made by the user.
  3. If the API call was not made by the user:
    • Rotate the user credentials and investigate what other API calls.
    • Determine what other API calls the user made which were not made by the user.

Changelog

18 March 2022 - Updated severity, split query into multiple queries, and split the single case into multiple cases.