As cloud infrastructure turns into the spine of recent enterprises, making certain the safety of those environments is paramount. With AWS (Amazon Net Companies) nonetheless being the dominant cloud it will be important for any safety skilled to know the place to search for indicators of compromise. AWS CloudTrail stands out as a vital instrument for monitoring and logging API exercise, offering a complete document of actions taken inside an AWS account. Consider AWS CloudTrail like an audit or occasion log for all the API calls made in your AWS account. For safety professionals, monitoring these logs is essential, notably on the subject of detecting potential unauthorized entry, comparable to by means of stolen API keys. These strategies and plenty of others I’ve realized by means of the incidents I’ve labored in AWS and that we constructed into SANS FOR509, Enterprise Cloud Forensics.
1. Uncommon API Calls and Entry Patterns
A. Sudden Spike in API Requests
One of many first indicators of a possible safety breach is an sudden enhance in API requests. CloudTrail logs each API name made inside your AWS account, together with who made the decision, when it was made, and from the place. An attacker with stolen API keys may provoke a lot of requests in a short while body, both probing the account for data or making an attempt to use sure providers.
What to Look For:
- A sudden, uncharacteristic surge in API exercise.
- API calls from uncommon IP addresses, notably from areas the place legit customers don’t function.
- Entry makes an attempt to all kinds of providers, particularly if they don’t seem to be usually utilized by your group.
Word that Guard Responsibility (if enabled) will robotically flag these sorts of occasions, however you must be watching to seek out them.
B. Unauthorized Use of Root Account
AWS strongly recommends avoiding the usage of the foundation account for day-to-day operations attributable to its excessive degree of privileges. Any entry to the foundation account, particularly if API keys related to it are getting used, is a big crimson flag.
What to Look For:
- API calls made with root account credentials, particularly if the foundation account isn’t usually used.
- Modifications to account-level settings, comparable to modifying billing data or account configurations.
2. Anomalous IAM Exercise
A. Suspicious Creation of Entry Keys
Attackers could create new entry keys to determine persistent entry to the compromised account. Monitoring CloudTrail logs for the creation of recent entry keys is essential, particularly if these keys are created for accounts that usually don’t require them.
What to Look For:
- Creation of recent entry keys for IAM customers, notably those that haven’t wanted them earlier than.
- Quick use of newly created entry keys, which may point out an attacker is testing or using these keys.
- API calls associated to `CreateAccessKey`, `ListAccessKeys`, and `UpdateAccessKey`.
C. Function Assumption Patterns
AWS permits customers to imagine roles, granting them momentary credentials for particular duties. Monitoring for uncommon function assumption patterns is important, as an attacker may assume roles to pivot throughout the atmosphere.
What to Look For:
- Uncommon or frequent `AssumeRole` API calls, particularly to roles with elevated privileges.
- Function assumptions from IP addresses or areas not usually related together with your legit customers.
- Function assumptions which can be adopted by actions inconsistent with regular enterprise operations.
3. Anomalous Knowledge Entry and Motion
A. Uncommon S3 Bucket Entry
Amazon S3 is usually a goal for attackers, on condition that it could possibly retailer huge quantities of doubtless delicate knowledge. Monitoring CloudTrail for uncommon entry to S3 buckets is crucial in detecting compromised API keys.
What to Look For:
- API calls associated to `ListBuckets`, `GetObject`, or `PutObject` for buckets that don’t usually see such exercise.
- Giant-scale knowledge downloads or uploads to and from S3 buckets, particularly if occurring outdoors of regular enterprise hours.
- Entry makes an attempt to buckets that retailer delicate knowledge, comparable to backups or confidential recordsdata.
B. Knowledge Exfiltration Makes an attempt
An attacker could try to maneuver knowledge out of your AWS atmosphere. CloudTrail logs may help detect such exfiltration makes an attempt, particularly if the info switch patterns are uncommon.
What to Look For:
- Giant knowledge transfers from providers like S3, RDS (Relational Database Service), or DynamoDB, particularly to exterior or unknown IP addresses.
- API calls associated to providers like AWS DataSync or S3 Switch Acceleration that aren’t usually utilized in your atmosphere.
- Makes an attempt to create or modify knowledge replication configurations, comparable to these involving S3 cross-region replication.
4. Sudden Safety Group Modifications
Safety teams management inbound and outbound site visitors to AWS sources. An attacker may modify these settings to open up further assault vectors, comparable to enabling SSH entry from exterior IP addresses.
What to Look For:
- Modifications to safety group guidelines that permit inbound site visitors from IP addresses outdoors your trusted community.
- API calls associated to `AuthorizeSecurityGroupIngress` or `RevokeSecurityGroupEgress` that don’t align with regular operations.
- Creation of recent safety teams with overly permissive guidelines, comparable to permitting all inbound site visitors on frequent ports.
5. Steps for Mitigating the Threat of Stolen API Keys
A. Implement the Precept of Least Privilege
To attenuate the injury an attacker can do with stolen API keys, implement the precept of least privilege throughout your AWS account. Be certain that IAM customers and roles solely have the permissions essential to carry out their duties.
B. Implement Multi-Issue Authentication (MFA)
Require MFA for all IAM customers, notably these with administrative privileges. This provides an extra layer of safety, making it harder for attackers to realize entry, even when they’ve stolen API keys.
C. Usually Rotate and Audit Entry Keys
Usually rotate entry keys and be certain that they’re tied to IAM customers who really need them. Moreover, audit the usage of entry keys to make sure they don’t seem to be being abused or used from sudden areas.
D. Allow and Monitor CloudTrail and GuardDuty
Be certain that CloudTrail is enabled in all areas and that logs are centralized for evaluation. Moreover, AWS GuardDuty can present real-time monitoring for malicious exercise, providing one other layer of safety in opposition to compromised credentials. Think about AWS Detective to have some intelligence constructed on prime of the findings.
E. Use AWS Config for Compliance Monitoring
AWS Config can be utilized to observe compliance with safety finest practices, together with the correct use of IAM insurance policies and safety teams. This instrument may help determine misconfigurations that may go away your account susceptible to assault.
Conclusion
The safety of your AWS atmosphere hinges on vigilant monitoring and fast detection of anomalies inside CloudTrail logs. By understanding the everyday patterns of legit utilization and being alert to deviations from these patterns, safety professionals can detect and reply to potential compromises, comparable to these involving stolen API keys, earlier than they trigger vital injury. As cloud environments proceed to evolve, sustaining a proactive stance on safety is crucial to defending delicate knowledge and making certain the integrity of your AWS infrastructure. If you wish to study extra about what to search for in AWS for indicators of intrusion, together with Microsoft and Google clouds you may contemplate my class FOR509 working at SANS Cyber Protection Initiative 2024. Go to for509.com to study extra.