Document toolboxDocument toolbox

AWS

Overview

Amazon Web Services (AWS) is one of the largest cloud providers out there and as such requires organizations to protect themselves with cloud security monitoring.

SciSec’s content contains dozens of AWS detections so your organization can monitor your AWS infrastructure, look for areas of risk, or help respond to threats as they emerge. The detections are for AWS products and services Cloudtrail, Cloudwatch, and VPC.

Check the different AWS-related detections we provide in the table below, grouped by categories:

AWS CloudTrail alerts

This alert detects users that received the errorCode value AccessDenied when trying to perform different actions within a short period of time. This could indicate that a user is trying to enumerate their permissions in their AWS account.

This alert filters by events where the errorCode AccessDenied is present and groups every 5 minutes by user arn and aws account.

Source table → cloud.aws.cloudtrail 

A successful AWS console login without MFA was detected. AWS security best practices recommend enabling this security measure for console access login.

This alert filters CloudTrail events from signin.amazonaws.com with ConsoleLogin as eventName, a success response, and the MFA value not enabled.

Source table → cloud.aws.cloudtrail 

This alert detects when a UserPoolClient entity is created. These types of entities could be used by an attacker to perform unauthenticated API operations.

This alert filters CloudTrail events from cognito-idp.amazonaws.com with CreateUserPoolClient as eventName.

Source table → cloud.aws.cloudtrail 

Detects when a Customer Master Key (CMK) is disabled or scheduled for deletion.

Source table → cloud.aws.cloudtrail

Creating DB snapshots is an efficient way for an attacker to begin downloading a target database. These signals should be considered around the context of other signals that may indicate data theft is in progress.

Source table → cloud.aws.cloudtrail 

AWS CloudWatch alerts

Amazon VPC