AWS Kinesis Firehose stream destination modified

Goal

Detects when an AWS Kinesis Firehose Destination is modified.

Strategy

The rule monitors AWS Kinesis Firehose logs @eventSource:firehose.amazonaws.com and detects when the @evt.name is UpdateDestination.

Triage and response

  1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@userIdentity.accountId}}.
  2. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.
    • Rotate the credentials.
    • Investigate if the same credentials made other unauthorized API calls.