...
| Expand | ||
|---|---|---|
| ||
This detection filters by cloudtrail events with RemoveTags as eventName. Some tags were removed from the configuration of a logging trail. This event should be checked since it could indicate an attacker may be trying to hide suspicious activity within an AWS account. Source table → |
| Expand | ||
|---|---|---|
| ||
A Permission Boundary has been modified on a role. This could allow to grant all the actions in the permissions of the policies attached to that role. This alert filters cloudtrail PutRolePermissionsBoundary events. Source table → |
| Expand | ||
|---|---|---|
| ||
A Permission Boundary has been modified for a role. This could allow granting all the actions in the permissions of the policies attached to that role. This alert filters cloudtrail PutRolePermissionsBoundary events with null error messages to avoid false positives. Source table → |
AWS CloudWatch alerts
| Expand | ||
|---|---|---|
| ||
This alert detects actions to get STS session tokens, which can be used to move laterally or escalate privileges in AWS. Source table → |
...