AWS IAM Roles Anywhere trust anchor created

cloudtrail

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when an IAM Roles Anywhere trust anchor is created.

Strategy

This rule monitors CloudTrail logs for CreateTrustAnchor API calls. An attacker may attempt to establish persistence by creating an IAM Roles Anywhere trust anchor. The IAM Roles Anywhere service allows workloads that do not run in AWS to assume roles by presenting a client-side X.509 certificate signed by a trusted certificate authority, called a “trust anchor”.

Triage & response

  1. Determine if the API call: {{@evt.name}} should have been performed by the user: {{@userIdentity.arn}}:
    • Contact the user to confirm if they made the API call.
  2. If the API call was not made by the user:
    • Rotate the user credentials.
    • Determine what actions the user took and which new access keys the user created.
    • Begin your organization’s incident response process and investigate.
  3. If the API call was made legitimately by the user:
    • Confirm if an IAM Roles Anywhere trust anchor is the proper authentication mechanism for the resource.
PREVIEWING: may/unit-testing