As cloud infrastructure turns into the spine of recent enterprises, guaranteeing the safety of those environments is paramount. With AWS (Amazon Internet Companies) nonetheless being the dominant cloud it is vital for any safety skilled to know the place to search for indicators of compromise. AWS CloudTrail stands out as a vital instrument for monitoring and logging API exercise, offering a complete document of actions taken inside an AWS account. Consider AWS CloudTrail like an audit or occasion log for the entire API calls made in your AWS account. For safety professionals, monitoring these logs is crucial, notably relating to detecting potential unauthorized entry, reminiscent of by way of stolen API keys. These methods and lots of others I’ve discovered by way of the incidents I’ve labored in AWS and that we constructed into SANS FOR509, Enterprise Cloud Forensics.
1. Uncommon API Calls and Entry Patterns
A. Sudden Spike in API Requests
One of many first indicators of a possible safety breach is an sudden enhance in API requests. CloudTrail logs each API name made inside your AWS account, together with who made the decision, when it was made, and from the place. An attacker with stolen API keys may provoke numerous requests in a short while body, both probing the account for data or making an attempt to use sure providers.
What to Look For:
- A sudden, uncharacteristic surge in API exercise.
- API calls from uncommon IP addresses, notably from areas the place reputable customers don’t function.
- Entry makes an attempt to all kinds of providers, particularly if they don’t seem to be usually utilized by your group.
Notice that Guard Responsibility (if enabled) will mechanically flag these sorts of occasions, however you must be watching to seek out them.
B. Unauthorized Use of Root Account
AWS strongly recommends avoiding using the foundation account for day-to-day operations because of its excessive degree of privileges. Any entry to the foundation account, particularly if API keys related to it are getting used, is a big crimson flag.
What to Look For:
- API calls made with root account credentials, particularly if the foundation account just isn’t usually used.
- Adjustments to account-level settings, reminiscent of modifying billing data or account configurations.
2. Anomalous IAM Exercise
A. Suspicious Creation of Entry Keys
Attackers might create new entry keys to determine persistent entry to the compromised account. Monitoring CloudTrail logs for the creation of recent entry keys is essential, particularly if these keys are created for accounts that usually don’t require them.
What to Look For:
- Creation of recent entry keys for IAM customers, notably those that haven’t wanted them earlier than.
- Quick use of newly created entry keys, which may point out an attacker is testing or using these keys.
- API calls associated to `CreateAccessKey`, `ListAccessKeys`, and `UpdateAccessKey`.
C. Function Assumption Patterns
AWS permits customers to imagine roles, granting them momentary credentials for particular duties. Monitoring for uncommon position assumption patterns is important, as an attacker may assume roles to pivot throughout the surroundings.
What to Look For:
- Uncommon or frequent `AssumeRole` API calls, particularly to roles with elevated privileges.
- Function assumptions from IP addresses or areas not usually related along with your reputable customers.
- Function assumptions which can be adopted by actions inconsistent with regular enterprise operations.
3. Anomalous Knowledge Entry and Motion
A. Uncommon S3 Bucket Entry
Amazon S3 is usually a goal for attackers, provided that it will probably retailer huge quantities of probably delicate knowledge. Monitoring CloudTrail for uncommon entry to S3 buckets is crucial in detecting compromised API keys.
What to Look For:
- API calls associated to `ListBuckets`, `GetObject`, or `PutObject` for buckets that don’t usually see such exercise.
- Giant-scale knowledge downloads or uploads to and from S3 buckets, particularly if occurring outdoors of regular enterprise hours.
- Entry makes an attempt to buckets that retailer delicate knowledge, reminiscent of backups or confidential information.
B. Knowledge Exfiltration Makes an attempt
An attacker might try to maneuver knowledge out of your AWS surroundings. CloudTrail logs might help detect such exfiltration makes an attempt, particularly if the information switch patterns are uncommon.
What to Look For:
- Giant knowledge transfers from providers like S3, RDS (Relational Database Service), or DynamoDB, particularly to exterior or unknown IP addresses.
- API calls associated to providers like AWS DataSync or S3 Switch Acceleration that aren’t usually utilized in your surroundings.
- Makes an attempt to create or modify knowledge replication configurations, reminiscent of these involving S3 cross-region replication.
4. Sudden Safety Group Modifications
Safety teams management inbound and outbound visitors to AWS sources. An attacker may modify these settings to open up further assault vectors, reminiscent of enabling SSH entry from exterior IP addresses.
What to Look For:
- Adjustments to safety group guidelines that permit inbound visitors from IP addresses outdoors your trusted community.
- API calls associated to `AuthorizeSecurityGroupIngress` or `RevokeSecurityGroupEgress` that don’t align with regular operations.
- Creation of recent safety teams with overly permissive guidelines, reminiscent of permitting all inbound visitors on widespread ports.
5. Steps for Mitigating the Threat of Stolen API Keys
A. Implement the Precept of Least Privilege
To attenuate the injury an attacker can do with stolen API keys, implement the precept of least privilege throughout your AWS account. Be sure that IAM customers and roles solely have the permissions essential to carry out their duties.
B. Implement Multi-Issue Authentication (MFA)
Require MFA for all IAM customers, notably these with administrative privileges. This provides a further layer of safety, making it harder for attackers to realize entry, even when they’ve stolen API keys.
C. Commonly Rotate and Audit Entry Keys
Commonly rotate entry keys and be certain that they’re tied to IAM customers who really need them. Moreover, audit using entry keys to make sure they don’t seem to be being abused or used from sudden areas.
D. Allow and Monitor CloudTrail and GuardDuty
Be sure that CloudTrail is enabled in all areas and that logs are centralized for evaluation. Moreover, AWS GuardDuty can present real-time monitoring for malicious exercise, providing one other layer of safety towards compromised credentials. Take into account AWS Detective to have some intelligence constructed on prime of the findings.
E. Use AWS Config for Compliance Monitoring
AWS Config can be utilized to watch compliance with safety greatest practices, together with the right use of IAM insurance policies and safety teams. This instrument might help determine misconfigurations that may depart your account weak to assault.
Conclusion
The safety of your AWS surroundings hinges on vigilant monitoring and fast detection of anomalies inside CloudTrail logs. By understanding the standard patterns of reputable utilization and being alert to deviations from these patterns, safety professionals can detect and reply to potential compromises, reminiscent of these involving stolen API keys, earlier than they trigger vital injury. As cloud environments proceed to evolve, sustaining a proactive stance on safety is crucial to defending delicate knowledge and guaranteeing the integrity of your AWS infrastructure. If you wish to be taught extra about what to search for in AWS for indicators of intrusion, together with Microsoft and Google clouds you may contemplate my class FOR509 working at SANS Cyber Protection Initiative 2024. Go to for509.com to be taught extra.