Overview #
Welcome to our comprehensive blog series focused on AWS threat detection. In this series, we will cover key topics that are essential for understanding, identifying, and mitigating threats within your AWS environment. Here’s a preview of what we’ll explore:
-
How Attackers Target AWS Services
-
Configuring Log Monitoring
-
Understanding Different Logs
-
Tools for Detecting Attacks and Threats
Let’s Start With What Is AWS ? #
Amazon Web Services (AWS) is the world’s most comprehensive and broadly adopted cloud, offering over 200 fully featured services from data centers globally. Millions of customers—including the fastest-growing startups, largest enterprises, and leading government agencies—are using AWS to lower costs, become more agile, and innovate faster. From AWS Documentation
There are more concepts related to the AWS, we will not go through them as they are already covered by multiple Blogs, Videos and AWS Documentations. We attached few AWS documentations which you can refer :
Services in AWS #
AWS has largest market share among other cloud service providers Source: statista Report . Over 200 services are available in AWS ( according to the AWS documentation ) from this we can imagine how many misconfigurations can be present in AWS environments where multiple services are used.
Most Targeted services in AWS: #
- AWS Lambda
- Identity and Access Management (IAM)
- Simple Storage Service (S3 Buckets)
- Elastic Compute Cloud (EC2)
- Elastic Block Store (EBS)
- Simple Notification Service (SNS)
- Simple Queue Service (SQS)
- Amazon Machine Image (AMI)
- Simple Email Service (SES) and many more…
List of Attacks on AWS #
AWS customer security incidents GitHub Repo Maintained by ramimac
AWS Data Breach Timeline by firewalltimes
AWS Public Cloud Security Breaches by breaches.cloud
Common Misconfigurations in AWS #
- Public S3 Buckets
- Public AMI’s
- Misconfigured IAM
- Roles created with excessive permissions
- Long Term Access Keys leaked
- Misconfigured Security Groups
- EC2 Instances
- Keys, Passwords etc.. in User Data
- High privilege roles assigned to EC2
- Vulnerable WebApp hosted on EC2
- Lambda Function
- Over-privileged IAM Roles assigned
- Using vulnerable Third-Party Libraries
Tools For AWS Security Check #
Here are some tools that can be used to check for misconfigurations in AWS services, including IAM, EC2, Lambda, Cloudtrail, SES etc… While we won’t go into detail about these tools, as it is beyond the scope of this blog series, they are worth exploring for enhancing your AWS security posture:
github.com/RhinoSecurityLabs/pacu
github.com/andresriancho/enumerate-iam
github.com/nccgroup/ScoutSuite
github.com/prowler-cloud/prowler
MITRE ATT&CK Mappings #
These mappings are valuable in both the attacking and defending phases of security. During the attacking phase, they help identify which Tactics, Techniques, and Procedures (TTPs) have been covered and replicated to test our AWS environments. In the defense phase, they guide us in targeting the TTPs that need to be monitored within our environment.
Amazon Web Services Security Control Mappings to MITRE ATT&CK®: This contains Mappings for multiple services in AWS.
Invictus AWS CloudTrail MITRE ATT&CK Mapping: AWS CloudTrail is a service that assists defenders in detecting multiple attacks by logging all activities occurring within an AWS environment. The logs contain detailed information, including the eventName & APIs used. CloudTrail will be covered in depth in later blogs.
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|
| ConsoleLogin | StartInstance | CreateAccessKey | CreateGroup | StopLogging | GetSecretValue | ListUsers | AssumeRole | CreateSnapShot | PutBucketVersioning |
| PasswordRecoveryRequested | StartInstances | CreateUser | CreateRole | DeleteTrail | GetPasswordData | ListRoles | SwitchRole | ModifySnapshotAttributes | RunInstances |
| Invoke | CreateNetworkAclEntry | UpdateAccessKey | UpdateTrail | RequestCertificate | ListIdentities | ModifyImageAttribute | DeleteAccountPublicAccessBlock | ||
| SendCommand | CreateRoute | PutGroupPolicy | PutEventSelectors | UpdateAssumeRolePolicy | ListAccessKeys | SharedSnapshotCopyInitiated | |||
| CreateLoginProfile | PutRolePolicy | DeleteFlowLogs | ListServiceQuotas | SharedSnapshotVolumeCreated | |||||
| AuthorizeSecurityGroupEgress | PutUserPolicy | DeleteDetector | ListInstanceProfiles | ModifyDBSnapshotAttribute | |||||
| AuthorizeSecurityGroupIngress | AddRoleToInstanceProfile | DeleteMembers | ListBuckets | PutBucketPolicy | |||||
| CreateVirtualMFADevice | AddUserToGroup | DeleteSnapshot | ListGroups | PutBucketAcl | |||||
| CreateConnection | DeactivateMFADevice | GetSendQuota | |||||||
| ApplySecurityGroupsToLoadBalancer | DeleteCertificate | GetCallerIdentity | |||||||
| SetSecurityGroups | DeleteConfigRule | DescribeInstances | |||||||
| AuthorizeDBSecurityGroupIngress | DeleteAccessKey | GetBucketAcl | |||||||
| CreateDBSecurityGroup | LeaveOrganization | GetBucketVersioning | |||||||
| ChangePassword | DisassociateFromMasterAccount | GetAccountAuthorizationDetails | |||||||
| DisassociateMembers | |||||||||
| StopMonitoringMembers |