AWS IAM activity from EC2 instance

Goal

Detect when an AWS EC2 instance role makes API calls to AWS IAM.

Strategy

This rule lets you monitor CloudTrail to detect when an AWS EC2 instance role makes certain API calls to IAM. An attacker who has managed to retrieve temporary access keys assigned to a EC2 instance may try to retain access or escalate privileges by the making the following API calls:

  • CreateUser
  • AttachUserPolicy
  • CreateLoginProfile
  • UpdateLoginProfile
  • CreateAccessKey
  • CreateGroup
  • AttachGroupPolicy
  • CreateRole
  • AttachRolePolicy

Triage and response

  1. Determine if {{@userIdentity.session_name}} should be attempting to make the identified API calls.
  • Use the Cloud SIEM - Host Investigation dashboard to assess host activity.
  1. Contact the team that owns the service the host is part of, to confirm it should make these API calls.
  2. If this is abnormal behavior for the host:
    • Revoke role temporary credentials.
    • Investigate to see what API calls might have been made that were successful throughout the rest of the environment.