Versions Compared

Version Old Version 1 New Version 2
Changes made by

Juan Tomás Alonso Nieto (Deactivated)

Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Expand
titleAWS CloudTrail - Detect Users Creating Keys With Encrypt Policy Without MFA

Creation of a KMS key with action kms:Encrypt is available for everyone. This could be a compromised account indicator.

This alert filters CreateKey and PutKeyPolicy CloudTrail events that come from the KMS service. It then parses the diferent principals and actions from the requestParameters (the alert will consider only the first five principals and actions, the following will be disregarded). The alert triggers when one of the pairs meets the following criteria:

  • The action contains the string kms:* or kms:Encrypt

  • The principal contains the string AWS:*

Source table → cloud.aws.cloudtrail

Expand
titleECR Container Scanning Findings Critical

Scanning from an ECR container detected at least one critical risk finding.

This alert filters cloudtrail DescribeImageScanFindings events that come from the ECR service then filter events that have the string CRITICAL within the response parameters.

Source table → cloud.aws.cloudtrail

AWS CloudWatch alerts

Expand
titleAWS CloudWatch - AWS Detect STS Get Session Token Abuse

This alert detects actions to get STS session tokens, which can be used to move laterally or escalate privileges in AWS.

Source table → cloud.aws.cloudtrail 

...