...
| Expand | ||
|---|---|---|
| ||
A successful AWS console login without MFA was detected. AWS security best practices recommend enabling this security measure for console access login. This alert filters CloudTrail events from signin.amazonaws.com with ConsoleLogin as eventName, a success response, and the MFA value not enabled. Source table → |
| Expand | ||
|---|---|---|
| ||
This alert detects when a UserPoolClient entity is created. These types of entities could be used by an attacker to perform unauthenticated API operations. This alert filters CloudTrail events from cognito-idp.amazonaws.com with CreateUserPoolClient as eventName. Source table → |
...
| Expand | ||
|---|---|---|
| ||
The DescribePermissions event retrieves the descriptions of permissions for a specified stack. This could be used by an attacker to collect information for further attacks. This alert filters CloudTrail events from opsworks.amazonaws.com source with DescribePermissions as eventName. Source table → |
| Expand | ||
|---|---|---|
| ||
This alert is triggered when a permission boundary is lifted against an IAM role. This action could be used by an attacker to escalate privileges within an AWS account. This alert filters by CloudTrail events from iam.amazonaws.com with DeleteRolePermissionsBoundary as eventName. Source table → |
| Expand | ||
|---|---|---|
| ||
This alert is triggered when a permission boundary is lifted against an IAM user. This action could be used by an attacker to escalate privileges within an AWS account. This alert filters by CloudTrail events from iam.amazonaws.com with DeleteUserPermissionsBoundary as eventName. Source table → |
...
| Expand | ||
|---|---|---|
| ||
This alert detects when a user updates the login profile of a different user. This could indicate that a privilege escalation is being performed leveraging the user whose login profile has been updated. This alert filters UpdateLoginProfile CloudTrail events that come from the IAM service. Two additional filters are applied: userAgent has to be equal to console.amazonaws.com in order to filter only actions performed through the console, and errorCode must be null to avoid false positives. Then, it groups and extracts the userName of the login profile being updated and triggers the alert if the user performing the action is not the same as the one extracted from the request parameters. Source table → |
...
| Expand | ||
|---|---|---|
| ||
Scanning from an ECR container detected at least one critical risk finding. This alert filters cloudtrail DescribeImageScanFindings events that come from the ECR service then filter events that have the string CRITICAL within the response parameters. Source table → |
| Expand | ||
|---|---|---|
| ||
Detects users uploading new images to AWS Elastic Container Registry (ECR). Source table → |
| Expand | ||
|---|---|---|
| ||
Detects actions taken by users to encrypt S3 buckets using KMS keys. Source table → |
AWS CloudWatch alerts
| Expand | ||
|---|---|---|
| ||
This alert detects actions to get STS session tokens, which can be used to move laterally or escalate privileges in AWS. Source table → |
...