AWS IAM activity from EC2 instance

cloudtrail

Classification:

attack

Tactic:

TA0003-persistence

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when an AWS EC2 instance role makes API calls to AWS IAM.

Strategy

This rule lets you monitor CloudTrail to detect when an AWS EC2 instance role makes certain API calls to IAM. An attacker who has managed to retrieve temporary access keys assigned to a EC2 instance may try to retain access or escalate privileges by the making the following API calls:

  • CreateUser
  • AttachUserPolicy
  • CreateLoginProfile
  • UpdateLoginProfile
  • CreateAccessKey
  • CreateGroup
  • AttachGroupPolicy
  • CreateRole
  • AttachRolePolicy

Triage and response

  1. Determine if {{@userIdentity.session_name}} should be attempting to make the identified API calls.
  • Use the Cloud SIEM - Host Investigation dashboard to assess host activity.
  1. Contact the team that owns the service the host is part of, to confirm it should make these API calls.
  2. If this is abnormal behavior for the host:
    • Revoke role temporary credentials.
    • Investigate to see what API calls might have been made that were successful throughout the rest of the environment.