AWS Disable Cloudtrail with event selectors

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when CloudTrail has been disabled by creating an event selector on the Trail.

Strategy

This rule lets you monitor CloudTrail and detect if an attacker used the PutEventSelectors API call to filter out management events, effectively disabling CloudTrail for the specified Trail.

See the public Proof of Concept (PoC) for this attack.

Triage and response

  1. Determine if {{@userIdentity.arn}} should have made the {{@evt.name}} API call.
  2. If the API call was not made legitimately by the user:
  • Rotate user credentials.
  • Determine what other API calls were made by the user.
  • Remove the event selector using the aws-cli command put-event-selectors or use the AWS console to revert the event selector back to the last known good state.
  1. If the API call was made legitimately by the user:
  • Determine if the user was authorized to make that change.
  • If Yes, work with the user to ensure that CloudTrail logs for the affected account {{@userIdentity.accountId}} are being sent to the Datadog platform.
  • If No, remove the event selector using the aws-cli command put-event-selectors or reference the AWS console documentation to revert the event selector back to the last known good state.

Changelog

  • 17 October 2022 - Updated tags.
PREVIEWING: brett0000FF/node-compatibility