Detecting AWS Account Compromise: Key Indicators in CloudTrail Logs for Stolen API Keys

Aug 20, 2024The Hacker InformationCybersecurity / Cloud Security

As cloud infrastructure turns into the spine of recent enterprises, guaranteeing the safety of those environments is paramount. With AWS (Amazon Internet Companies) nonetheless being the dominant cloud it will be significant for any safety skilled to know the place to search for indicators of compromise. AWS CloudTrail stands out as a necessary device for monitoring and logging API exercise, offering a complete document of actions taken inside an AWS account. Consider AWS CloudTrail like an audit or occasion log for all the API calls made in your AWS account. For safety professionals, monitoring these logs is essential, notably in terms of detecting potential unauthorized entry, similar to by way of stolen API keys. These methods and lots of others I’ve realized by way of the incidents I’ve labored in AWS and that we constructed into SANS FOR509, Enterprise Cloud Forensics.

1. Uncommon API Calls and Entry Patterns

A. Sudden Spike in API Requests

One of many first indicators of a possible safety breach is an sudden improve in API requests. CloudTrail logs each API name made inside your AWS account, together with who made the decision, when it was made, and from the place. An attacker with stolen API keys may provoke numerous requests in a short while body, both probing the account for info or trying to use sure providers.

What to Look For:

  • A sudden, uncharacteristic surge in API exercise.
  • API calls from uncommon IP addresses, notably from areas the place legit customers don’t function.
  • Entry makes an attempt to all kinds of providers, particularly if they aren’t usually utilized by your group.

Observe that Guard Obligation (if enabled) will robotically flag these sorts of occasions, however it’s important to be watching to search out them.

B. Unauthorized Use of Root Account

AWS strongly recommends avoiding using the foundation account for day-to-day operations as a consequence of its excessive stage of privileges. Any entry to the foundation account, particularly if API keys related to it are getting used, is a major crimson flag.

What to Look For:

  • API calls made with root account credentials, particularly if the foundation account will not be usually used.
  • Modifications to account-level settings, similar to modifying billing info or account configurations.

2. Anomalous IAM Exercise

A. Suspicious Creation of Entry Keys

Attackers could create new entry keys to determine persistent entry to the compromised account. Monitoring CloudTrail logs for the creation of recent entry keys is essential, particularly if these keys are created for accounts that usually don’t require them.

What to Look For:

  • Creation of recent entry keys for IAM customers, notably those that haven’t wanted them earlier than.
  • Instant use of newly created entry keys, which may point out an attacker is testing or using these keys.
  • API calls associated to `CreateAccessKey`, `ListAccessKeys`, and `UpdateAccessKey`.

C. Position Assumption Patterns

AWS permits customers to imagine roles, granting them non permanent credentials for particular duties. Monitoring for uncommon function assumption patterns is significant, as an attacker may assume roles to pivot throughout the atmosphere.

What to Look For:

  • Uncommon or frequent `AssumeRole` API calls, particularly to roles with elevated privileges.
  • Position assumptions from IP addresses or areas not usually related along with your legit customers.
  • Position assumptions which can be adopted by actions inconsistent with regular enterprise operations.

3. Anomalous Knowledge Entry and Motion

A. Uncommon S3 Bucket Entry

Amazon S3 is commonly a goal for attackers, on condition that it may retailer huge quantities of probably delicate information. Monitoring CloudTrail for uncommon entry to S3 buckets is crucial in detecting compromised API keys.

What to Look For:

  • API calls associated to `ListBuckets`, `GetObject`, or `PutObject` for buckets that don’t usually see such exercise.
  • Giant-scale information downloads or uploads to and from S3 buckets, particularly if occurring exterior of regular enterprise hours.
  • Entry makes an attempt to buckets that retailer delicate information, similar to backups or confidential recordsdata.

B. Knowledge Exfiltration Makes an attempt

An attacker could try to maneuver information out of your AWS atmosphere. CloudTrail logs may also help detect such exfiltration makes an attempt, particularly if the information switch patterns are uncommon.

What to Look For:

  • Giant information transfers from providers like S3, RDS (Relational Database Service), or DynamoDB, particularly to exterior or unknown IP addresses.
  • API calls associated to providers like AWS DataSync or S3 Switch Acceleration that aren’t usually utilized in your atmosphere.
  • Makes an attempt to create or modify information replication configurations, similar to these involving S3 cross-region replication.

4. Surprising Safety Group Modifications

Safety teams management inbound and outbound visitors to AWS sources. An attacker may modify these settings to open up extra assault vectors, similar to enabling SSH entry from exterior IP addresses.

What to Look For:

  • Modifications to safety group guidelines that enable inbound visitors from IP addresses exterior your trusted community.
  • API calls associated to `AuthorizeSecurityGroupIngress` or `RevokeSecurityGroupEgress` that don’t align with regular operations.
  • Creation of recent safety teams with overly permissive guidelines, similar to permitting all inbound visitors on frequent ports.

5. Steps for Mitigating the Threat of Stolen API Keys

A. Implement the Precept of Least Privilege

To reduce the injury an attacker can do with stolen API keys, implement the precept of least privilege throughout your AWS account. Make sure that IAM customers and roles solely have the permissions essential to carry out their duties.

B. Implement Multi-Issue Authentication (MFA)

Require MFA for all IAM customers, notably these with administrative privileges. This provides a further layer of safety, making it tougher for attackers to achieve entry, even when they’ve stolen API keys.

C. Recurrently Rotate and Audit Entry Keys

Recurrently rotate entry keys and be sure that they’re tied to IAM customers who really need them. Moreover, audit using entry keys to make sure they aren’t being abused or used from sudden areas.

D. Allow and Monitor CloudTrail and GuardDuty

Make sure that CloudTrail is enabled in all areas and that logs are centralized for evaluation. Moreover, AWS GuardDuty can present real-time monitoring for malicious exercise, providing one other layer of safety towards compromised credentials. Think about AWS Detective to have some intelligence constructed on prime of the findings.

E. Use AWS Config for Compliance Monitoring

AWS Config can be utilized to watch compliance with safety finest practices, together with the right use of IAM insurance policies and safety teams. This device may also help determine misconfigurations that may go away your account susceptible to assault.

Conclusion

The safety of your AWS atmosphere hinges on vigilant monitoring and fast detection of anomalies inside CloudTrail logs. By understanding the standard patterns of legit utilization and being alert to deviations from these patterns, safety professionals can detect and reply to potential compromises, similar to these involving stolen API keys, earlier than they trigger vital injury. As cloud environments proceed to evolve, sustaining a proactive stance on safety is crucial to defending delicate information and guaranteeing the integrity of your AWS infrastructure. If you wish to be taught extra about what to search for in AWS for indicators of intrusion, together with Microsoft and Google clouds you may think about my class FOR509 operating at SANS Cyber Protection Initiative 2024. Go to for509.com to be taught extra.

Discovered this text fascinating? This text is a contributed piece from one in every of our valued companions. Observe us on Twitter and LinkedIn to learn extra unique content material we submit.

Recent articles

Hackers Use Microsoft MSC Information to Deploy Obfuscated Backdoor in Pakistan Assaults

Dec 17, 2024Ravie LakshmananCyber Assault / Malware A brand new...

INTERPOL Pushes for

Dec 18, 2024Ravie LakshmananCyber Fraud / Social engineering INTERPOL is...

Patch Alert: Essential Apache Struts Flaw Discovered, Exploitation Makes an attempt Detected

Dec 18, 2024Ravie LakshmananCyber Assault / Vulnerability Risk actors are...