Possible privilege escalation via AWS login profile manipulation
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detect a user or role attempting to create or update the password for a specified IAM user.
Strategy
This rule allows you to monitor CloudTrail and detect if an attacker has attempted to create or update a password for an IAM user using the CreateLoginProfile
or UpdateLoginProfile
API calls respectively.
Triage and response
- Determine if
{{@userIdentity.session_name}}
should have made a {{@evt.name}}
API call. - If the API call was not made by the user:
- Rotate user credentials.
- Determine what other API calls were made by the user.
- Remove any passwords generated by the user with the
aws-cli
command delete-login-profile or use the AWS Console.
- If the API call was made by the user:
- Determine if the user should be performing this API call.
- If No, see if other API calls were made by the user and determine if they warrant further investigation.
ChangeLog
27 June 2023 - Updated rule query, name, case, goal and strategy to reflect login profile creation and login profile update.