As cloud infrastructure turns into the spine of contemporary enterprises, making certain the safety of those environments is paramount. With AWS (Amazon Internet Providers) nonetheless being the dominant cloud it can be crucial for any safety skilled to know the place to search for indicators of compromise. AWS CloudTrail stands out as an important device for monitoring and logging API exercise, offering a complete file of actions taken inside an AWS account. Consider AWS CloudTrail like an audit or occasion log for all the API calls made in your AWS account. For safety professionals, monitoring these logs is vital, notably in the case of detecting potential unauthorized entry, corresponding to by way of stolen API keys. These strategies and plenty of others I’ve discovered by way of the incidents I’ve labored in AWS and that we constructed into SANS FOR509, Enterprise Cloud Forensics.
1. Uncommon API Calls and Entry Patterns
A. Sudden Spike in API Requests
One of many first indicators of a possible safety breach is an surprising improve in API requests. CloudTrail logs each API name made inside your AWS account, together with who made the decision, when it was made, and from the place. An attacker with stolen API keys may provoke numerous requests in a short while body, both probing the account for info or making an attempt to use sure companies.
What to Look For:
- A sudden, uncharacteristic surge in API exercise.
- API calls from uncommon IP addresses, notably from areas the place professional customers don’t function.
- Entry makes an attempt to all kinds of companies, particularly if they don’t seem to be sometimes utilized by your group.
Word that Guard Responsibility (if enabled) will mechanically flag these sorts of occasions, however you need to be watching to seek out them.
B. Unauthorized Use of Root Account
AWS strongly recommends avoiding the usage of the basis account for day-to-day operations resulting from its excessive stage of privileges. Any entry to the basis account, particularly if API keys related to it are getting used, is a major crimson flag.
What to Look For:
- API calls made with root account credentials, particularly if the basis account shouldn’t be sometimes used.
- Adjustments to account-level settings, corresponding to modifying billing info or account configurations.
2. Anomalous IAM Exercise
A. Suspicious Creation of Entry Keys
Attackers could create new entry keys to determine persistent entry to the compromised account. Monitoring CloudTrail logs for the creation of recent entry keys is essential, particularly if these keys are created for accounts that sometimes don’t require them.
What to Look For:
- Creation of recent entry keys for IAM customers, notably those that haven’t wanted them earlier than.
- Speedy use of newly created entry keys, which may point out an attacker is testing or using these keys.
- API calls associated to `CreateAccessKey`, `ListAccessKeys`, and `UpdateAccessKey`.
C. Function Assumption Patterns
AWS permits customers to imagine roles, granting them non permanent credentials for particular duties. Monitoring for uncommon function assumption patterns is significant, as an attacker may assume roles to pivot inside the setting.
What to Look For:
- Uncommon or frequent `AssumeRole` API calls, particularly to roles with elevated privileges.
- Function assumptions from IP addresses or areas not sometimes related together with your professional customers.
- Function assumptions which might be adopted by actions inconsistent with regular enterprise operations.
3. Anomalous Knowledge Entry and Motion
A. Uncommon S3 Bucket Entry
Amazon S3 is usually a goal for attackers, provided that it will probably retailer huge quantities of doubtless delicate knowledge. Monitoring CloudTrail for uncommon entry to S3 buckets is crucial in detecting compromised API keys.
What to Look For:
- API calls associated to `ListBuckets`, `GetObject`, or `PutObject` for buckets that don’t sometimes see such exercise.
- Massive-scale knowledge downloads or uploads to and from S3 buckets, particularly if occurring outdoors of regular enterprise hours.
- Entry makes an attempt to buckets that retailer delicate knowledge, corresponding to backups or confidential recordsdata.
B. Knowledge Exfiltration Makes an attempt
An attacker could try to maneuver knowledge out of your AWS setting. CloudTrail logs might help detect such exfiltration makes an attempt, particularly if the info switch patterns are uncommon.
What to Look For:
- Massive knowledge transfers from companies like S3, RDS (Relational Database Service), or DynamoDB, particularly to exterior or unknown IP addresses.
- API calls associated to companies like AWS DataSync or S3 Switch Acceleration that aren’t sometimes utilized in your setting.
- Makes an attempt to create or modify knowledge replication configurations, corresponding to these involving S3 cross-region replication.
4. Sudden Safety Group Modifications
Safety teams management inbound and outbound visitors to AWS sources. An attacker may modify these settings to open up extra assault vectors, corresponding to enabling SSH entry from exterior IP addresses.
What to Look For:
- Adjustments to safety group guidelines that enable inbound visitors from IP addresses outdoors your trusted community.
- API calls associated to `AuthorizeSecurityGroupIngress` or `RevokeSecurityGroupEgress` that don’t align with regular operations.
- Creation of recent safety teams with overly permissive guidelines, corresponding to permitting all inbound visitors on widespread ports.
5. Steps for Mitigating the Threat of Stolen API Keys
A. Implement the Precept of Least Privilege
To attenuate the injury an attacker can do with stolen API keys, implement the precept of least privilege throughout your AWS account. Be sure that IAM customers and roles solely have the permissions essential to carry out their duties.
B. Implement Multi-Issue Authentication (MFA)
Require MFA for all IAM customers, notably these with administrative privileges. This provides a further layer of safety, making it harder for attackers to achieve entry, even when they’ve stolen API keys.
C. Recurrently Rotate and Audit Entry Keys
Recurrently rotate entry keys and be sure that they’re tied to IAM customers who really need them. Moreover, audit the usage of entry keys to make sure they don’t seem to be being abused or used from surprising places.
D. Allow and Monitor CloudTrail and GuardDuty
Be sure that CloudTrail is enabled in all areas and that logs are centralized for evaluation. Moreover, AWS GuardDuty can present real-time monitoring for malicious exercise, providing one other layer of safety in opposition to compromised credentials. Take into account AWS Detective to have some intelligence constructed on prime of the findings.
E. Use AWS Config for Compliance Monitoring
AWS Config can be utilized to watch compliance with safety greatest practices, together with the correct use of IAM insurance policies and safety teams. This device might help establish misconfigurations that may go away your account susceptible to assault.
Conclusion
The safety of your AWS setting hinges on vigilant monitoring and fast detection of anomalies inside CloudTrail logs. By understanding the everyday patterns of professional utilization and being alert to deviations from these patterns, safety professionals can detect and reply to potential compromises, corresponding to these involving stolen API keys, earlier than they trigger important injury. As cloud environments proceed to evolve, sustaining a proactive stance on safety is crucial to defending delicate knowledge and making certain the integrity of your AWS infrastructure. If you wish to be taught extra about what to search for in AWS for indicators of intrusion, together with Microsoft and Google clouds you may contemplate my class FOR509 working at SANS Cyber Protection Initiative 2024. Go to for509.com to be taught extra.
