AWS IAM AmazonSESFullAccess policy was applied to a group

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect when the AmazonSESFullAccess policy is attached to an AWS IAM group.

Strategy

This rule allows you to monitor CloudTrail and detect if an attacker has attached the AWS managed policy AmazonSESFullAccess to an AWS IAM group using the AttachGroupPolicy API call. An attacker with an objective of leveraging the AWS Simple Email Service (SES) may only attach a policy relating to SES to avoid detections relating to the AWS managed policy [AdministratorAccess].

Triage and response

  1. Determine if {{@userIdentity.session_name}} should have made a {{@evt.name}} API call.
  2. If the API call was not made by the user:
  • Rotate user credentials.
  • Determine what other API calls were made by the user.
  • Remove the AmazonSESFullAccess policy from the {{@requestParameters.groupName}} group using the aws-cli command detach-group-policy.
  1. If the API call was made legitimately by the user:
  • Determine if the group {{@requestParameters.groupName}} requires the AmazonSESFullAccess policy to perform the intended function.
  • Advise the user to find the least privileged policy that allows the group to operate as intended.
PREVIEWING: aliciascott/DOCS-9725-Cloudcraft