-
Notifications
You must be signed in to change notification settings - Fork 375
/
aws_cross_account_activity.yml
38 lines (36 loc) · 2.03 KB
/
aws_cross_account_activity.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
name: AWS Cross Account Activity
id: 2f2f610a-d64d-48c2-b57c-967a2b49ab5a
version: 1
date: '2018-06-04'
author: David Dorsey, Splunk
description: Track when a user assumes an IAM role in another AWS account to obtain
cross-account access to services and resources in that account. Accessing new roles
could be an indication of malicious activity.
narrative: 'Amazon Web Services (AWS) admins manage access to AWS resources and services
across the enterprise using AWS''s Identity and Access Management (IAM) functionality.
IAM provides the ability to create and manage AWS users, groups, and roles-each
with their own unique set of privileges and defined access to specific resources
(such as EC2 instances, the AWS Management Console, API, or the command-line interface).
Unlike conventional (human) users, IAM roles are assumable by anyone in the organization.
They provide users with dynamically created temporary security credentials that
expire within a set time period.
Herein lies the rub. In between the time between when the temporary credentials
are issued and when they expire is a period of opportunity, where a user could leverage
the temporary credentials to wreak havoc-spin up or remove instances, create new
users, elevate privileges, and other malicious activities-throughout the environment.
This Analytic Story includes searches that will help you monitor your AWS CloudTrail
logs for evidence of suspicious cross-account activity. For example, while accessing
multiple AWS accounts and roles may be perfectly valid behavior, it may be suspicious
when an account requests privileges of an account it has not accessed in the past.
After identifying suspicious activities, you can use the provided investigative
searches to help you probe more deeply.'
references:
- https://aws.amazon.com/blogs/security/aws-cloudtrail-now-tracks-cross-account-activity-to-its-origin/
tags:
category:
- Cloud Security
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Security Monitoring