Amazon SNS enumeration in multiple regions using a long-term access key

Goal

Detect when the Amazon Simple Notification Service (SNS) is enumerated across multiple regions using a long-term access key.

Strategy

Monitor CloudTrail and detect when the Amazon SNS has been enumerated across multiple regions using a long-term access key with one of the following API calls:

With these API calls, an attacker can determine the account’s monthly spending limit and if the account is in a SMS sandbox. An attacker may target this service for the purpose of SMS phishing.

Triage and response

  1. Determine if the API call: {{@evt.name}} should have been made by the user: {{@userIdentity.arn}} from this IP address: {{@network.client.ip}} .
  2. If the action is legitimate, consider including the user in a suppression list. See Best practices for creating detection rules with Datadog Cloud SIEM for more information.
  3. If the action shouldn’t have happened:
    • Contact the user: {{@userIdentity.arn}} and see if they made the API call.
    • Use the Cloud SIEM - User Investigation dashboard to see if the user {{@userIdentity.arn}} has taken other actions.
    • Use the Cloud SIEM - IP Investigation dashboard to see if there’s more traffic from the IP {{@network.client.ip}}.
  4. If the results of the triage indicate that an attacker has taken the action, begin your company’s incident response process as well as an investigation.

Changelog

  • 11 March 2024 - Reduced cardinality of threshold for high and medium severity signal.