AWS IAM user changing sensitive configurations

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1089-disabling-security-tools

Overview

Goal

Detect when an AWS IAM user is changing sensitive configurations and has no prior history of invoking these APIs.

Strategy

This rule lets you monitor these GuardDuty integration findings:

• Stealth:IAMUser/S3ServerAccessLoggingDisabled
• Stealth:IAMUser/PasswordPolicyChange
• Stealth:IAMUser/CloudTrailLoggingDisabled
• Stealth:IAMUser/LoggingConfigurationModified

Triage & Response

1. Determine which user triggered the signal. This can be found in the signal.
2. Determine if the user’s credentials are compromised.
3. If the user’s credentials are compromised:

• Review the AWS documentation on remediating compromised AWS credentials.