AWS Defend#
CloudTrail and VPC tradecraft for spotting suspicious AWS activity.
Splunk-style searches over aws:cloudtrail source events surface
console logins without MFA, GPU mining instances, wide-open security
groups, world-readable buckets, and other indicators of compromise.
CloudTrail monitoring#
Successful logins (without MFA).
sourcetype="aws:cloudtrail" eventName="ConsoleLogin"
"responseElements.ConsoleLogin"=Success
"additionalEventData.MFAUsed"=No
Failed logins by source.
sourcetype="aws:cloudtrail" eventName="ConsoleLogin"
"responseElements.ConsoleLogin"=Failure
| iplocation sourceIPAddress
| stats count by userName, userIdentity.accountId, eventSource,
sourceIPAddress, Country, City, errorMessage
| sort - count
CryptoMining GPU instance abuse.
sourcetype="aws:cloudtrail" eventSource="ec2.amazonaws.com" eventName="RunInstances"
| spath output=instanceType path=requestParameters.instanceType
| spath output=minCount path=requestParameters.instancesSet{}.items{}.minCount
| search instanceType IN ("p3.2xlarge","p3.8xlarge","p3.16xlarge","p3dn.24xlarge",
"p2.xlarge","p2.8xlarge","p2.16xlarge","g3s.xlarge","g3.4xlarge","g3.8xlarge","g3.16xlarge")
| stats count by eventSource, eventName, awsRegion, userName, userIdentity.accountId,
sourceIPAddress, userIdentity.type, requestParameters.instanceType,
responseElements.instancesSet.items{}.instanceId,
responseElements.instancesSet.items{}.networkInterfaceSet.items{}.privateIpAddress, minCount
| fields - count
Security-group ingress from anywhere (port 22).
sourcetype="aws:cloudtrail" eventSource="ec2.amazonaws.com" eventName="AuthorizeSecurityGroupIngress"
| spath output=fromPort path=requestParameters.ipPermissions.items{}.fromPort
| spath output=toPort path=requestParameters.ipPermissions.items{}.toPort
| spath output=cidrIp path=requestParameters.ipPermissions.items{}.ipRanges.items{}.cidrIp
| spath output=groupId path=requestParameters.groupId
| search fromPort=22 toPort=22 AND cidrIp="0.0.0.0/0"
Network ACL creation allowing all sources.
sourcetype="aws:cloudtrail" eventSource="ec2.amazonaws.com" eventName=CreateNetworkAclEntry
| spath output=cidrBlock path=requestParameters.cidrBlock
| spath output=ruleAction path=requestParameters.ruleAction
| search cidrBlock=0.0.0.0/0 ruleAction=Allow
Detect public S3 buckets.
sourcetype="aws:cloudtrail" AllUsers eventName=PutBucketAcl errorCode=Success
| spath output=userIdentityArn path=userIdentity.arn
| spath output=bucketName path=requestParameters.bucketName
| spath output=aclControlList path=requestParameters.AccessControlPolicy.AccessControlList
| spath input=aclControlList output=grantee path=Grant{}
| mvexpand grantee
| spath input=grantee
| search Grantee.URI=*AllUsers
| rename userIdentityArn as user
| table _time, src, awsRegion Permission, Grantee.URI, bucketName, user
VPC traffic mirroring#
Capture and inspect network traffic.
$ aws ec2 create-traffic-mirror-filter --description "TCP Filter"