About Threat Detection
AWS-native threat detection services¶
- GuardDuty - AWS threat detection service that monitors your environment(s) for unusual and potentially malicious activity. It receives data from many different AWS services.
- Detective - Investigate security events visually
- Security Hub - Cloud security posture management (CSPM) for continuous monitoring against benchmarks configuration checks and best practices
What events might indicate a threat actor has infiltrated your environment(s)?¶
A great way to understand what to look for with threat detection is to study real-world incident reports, because they will often share Indicators of Compromise (IoCs).
While this is not a comprehensive list, below is a list of some commonly used API actions during incidents by threat actors. Of course, just because one of these actions is taken in your account doesn't automatically mean you've been breached. These actions can all be legitimately used as well, otherwise they wouldn't be part of the AWS API. The tricky part is identifying when they're legitimately used and when they're not.
IAM Configuration Changes¶
| API Call | Explanation | Example of how this can be exploited |
|---|---|---|
iam:ChangePassword |
Changes the password of the IAM user who is calling this operation | |
iam:CreateUser |
Creates a new IAM user for your AWS account | |
iam:CreateRole |
Creates a new role for your AWS account | |
iam:CreateGroup |
Creates a new group | |
iam:AddUserToGroup |
Adds a user to a group with potentially higher privileges | Example |
iam:AttachUserPolicy |
Attaches the specified managed policy to the specified user | |
iam:AttachRolePolicy |
Attaches the specified managed policy to the specified IAM role | Example |
iam:AttachGroupPolicy |
Attaches the specified managed policy to the specified IAM group | Example |
iam:PutUserPolicy |
Adds an inline policy for a specified user | Example |
iam:PutGroupPolicy |
Adds an inline policy for a specified IAM group | Example |
iam:PutRolePolicy |
Adds an inline policy for a specified IAM role | Example |
iam:ListAccessKeys |
Returns information about the access key IDs associated with the specified IAM user | |
iam:CreatePolicyVersion |
Creates a new version of the specified managed policy | |
iam:CreateLoginProfile |
Enables console login for a user with a password set by the threat actor. Only possible if the user doesn't already have a console login created | Example |
iam:UpdateLoginProfile |
Changes the password for the specified IAM user to a password of the threat actor's choosing | Example |
iam:CreateAccessKey |
Creates a new AWS secret access key and corresponding AWS access key ID for the specified user | Example |
iam:UpdateAccessKey |
Changes the status of the specified access key from Active to Inactive, or vice versa. | |
iam:DeactivateMFADevice |
Deactivates the specified MFA device and removes it from association with the username for which it was originally enabled | Example |