...
| Expand | ||
|---|---|---|
| ||
A request to set a new ACL to a bucket to make it public via CLI has been detected. Although this could be a legitimate action, it should be reviewed. This alert filters PutBucketAcl cloudtrail events that come from the S3 service. In addition it filters messages without errorMessage to avoid false positives and that the user agent contains aws-cli to filter only command line interface events. Source table → |
| Expand | ||
|---|---|---|
| ||
Deletion of an IAM group is not a dangerous action by itself, but correlated with other events such as recently user or group creations could indicate a malicious behaviour. This alert filters DeleteGroup cloudtrail events that come from the IAM service. In addition, the errorCode has to be one of the following NoSuchEntityException, DeleteConflictException, AccessDenied. Source table → |
AWS CloudWatch alerts
| Expand | ||
|---|---|---|
| ||
This alert detects actions to get STS session tokens, which can be used to move laterally or escalate privileges in AWS. Source table → |
...