AWS Defend#

CloudTrail and VPC tradecraft for spotting suspicious AWS activity. Splunk-style searches over aws:cloudtrail source events surface console logins without MFA, GPU mining instances, wide-open security groups, world-readable buckets, and other indicators of compromise.

CloudTrail monitoring#

Successful logins (without MFA).

sourcetype="aws:cloudtrail" eventName="ConsoleLogin"
"responseElements.ConsoleLogin"=Success
"additionalEventData.MFAUsed"=No

Failed logins by source.

sourcetype="aws:cloudtrail" eventName="ConsoleLogin"
"responseElements.ConsoleLogin"=Failure
| iplocation sourceIPAddress
| stats count by userName, userIdentity.accountId, eventSource,
    sourceIPAddress, Country, City, errorMessage
| sort - count

CryptoMining GPU instance abuse.

sourcetype="aws:cloudtrail" eventSource="ec2.amazonaws.com" eventName="RunInstances"
| spath output=instanceType path=requestParameters.instanceType
| spath output=minCount path=requestParameters.instancesSet{}.items{}.minCount
| search instanceType IN ("p3.2xlarge","p3.8xlarge","p3.16xlarge","p3dn.24xlarge",
    "p2.xlarge","p2.8xlarge","p2.16xlarge","g3s.xlarge","g3.4xlarge","g3.8xlarge","g3.16xlarge")
| stats count by eventSource, eventName, awsRegion, userName, userIdentity.accountId,
    sourceIPAddress, userIdentity.type, requestParameters.instanceType,
    responseElements.instancesSet.items{}.instanceId,
    responseElements.instancesSet.items{}.networkInterfaceSet.items{}.privateIpAddress, minCount
| fields - count

Security-group ingress from anywhere (port 22).

sourcetype="aws:cloudtrail" eventSource="ec2.amazonaws.com" eventName="AuthorizeSecurityGroupIngress"
| spath output=fromPort path=requestParameters.ipPermissions.items{}.fromPort
| spath output=toPort   path=requestParameters.ipPermissions.items{}.toPort
| spath output=cidrIp   path=requestParameters.ipPermissions.items{}.ipRanges.items{}.cidrIp
| spath output=groupId  path=requestParameters.groupId
| search fromPort=22 toPort=22 AND cidrIp="0.0.0.0/0"

Network ACL creation allowing all sources.

sourcetype="aws:cloudtrail" eventSource="ec2.amazonaws.com" eventName=CreateNetworkAclEntry
| spath output=cidrBlock path=requestParameters.cidrBlock
| spath output=ruleAction path=requestParameters.ruleAction
| search cidrBlock=0.0.0.0/0 ruleAction=Allow

Detect public S3 buckets.

sourcetype="aws:cloudtrail" AllUsers eventName=PutBucketAcl errorCode=Success
| spath output=userIdentityArn path=userIdentity.arn
| spath output=bucketName path=requestParameters.bucketName
| spath output=aclControlList path=requestParameters.AccessControlPolicy.AccessControlList
| spath input=aclControlList output=grantee path=Grant{}
| mvexpand grantee
| spath input=grantee
| search Grantee.URI=*AllUsers
| rename userIdentityArn as user
| table _time, src, awsRegion Permission, Grantee.URI, bucketName, user

VPC traffic mirroring#

Capture and inspect network traffic.

$ aws ec2 create-traffic-mirror-filter --description "TCP Filter"

References#