Page Comparison

Versions Compared

Version	Old Version 4	New Version 5
Changes made by	Former user	Former user
Saved on	Oct 05, 2022	Oct 05, 2022

Key

This line was added.
This line was removed.
Formatting was changed.

...

Expand

title	AWS CloudTrail - AWS Console Login Without MFA

A successful AWS console login without MFA was detected. AWS security best practices recommend enabling this security measure for console access login.

This alert filters CloudTrail events from signin.amazonaws.com with ConsoleLogin as eventName, a success response, and the MFA value not enabled.

Source table → cloud.aws.cloudtrail

Expand

title	AWS CloudTrail - New UserPoolClient Created

This alert detects when a UserPoolClient entity is created. These types of entities could be used by an attacker to perform unauthenticated API operations.

This alert filters CloudTrail events from cognito-idp.amazonaws.com with CreateUserPoolClient as eventName.

Source table → cloud.aws.cloudtrail

...

Expand

title	AWS CloudTrail - OpsWorks Describe Permissions Event

The DescribePermissions event retrieves the descriptions of permissions for a specified stack. This could be used by an attacker to collect information for further attacks.

This alert filters CloudTrail events from opsworks.amazonaws.com source with DescribePermissions as eventName.

Source table → cloud.aws.cloudtrail

Expand

title	AWS CloudTrail - Permissions Boundary Lifted (Role)

This alert is triggered when a permission boundary is lifted against an IAM role. This action could be used by an attacker to escalate privileges within an AWS account.

This alert filters by CloudTrail events from iam.amazonaws.com with DeleteRolePermissionsBoundary as eventName.

Source table → cloud.aws.cloudtrail

Expand

title	AWS CloudTrail - Permissions Boundary Lifted (User)

This alert is triggered when a permission boundary is lifted against an IAM user. This action could be used by an attacker to escalate privileges within an AWS account.

This alert filters by CloudTrail events from iam.amazonaws.com with DeleteUserPermissionsBoundary as eventName.

Source table → cloud.aws.cloudtrail

...

Expand

title	AWS CloudTrail - AWS UpdateLoginProfile

This alert detects when a user updates the login profile of a different user. This could indicate that a privilege escalation is being performed leveraging the user whose login profile has been updated.

This alert filters UpdateLoginProfile CloudTrail events that come from the IAM service. Two additional filters are applied: userAgent has to be equal to console.amazonaws.com in order to filter only actions performed through the console, and errorCode must be null to avoid false positives. Then, it groups and extracts the userName of the login profile being updated and triggers the alert if the user performing the action is not the same as the one extracted from the request parameters.

Source table → cloud.aws.cloudtrail

...