Amazon SNS enumeration in multiple regions using a long-term access key
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detect when the Amazon Simple Notification Service (SNS) is enumerated across multiple regions using a long-term access key.
Strategy
Monitor CloudTrail and detect when the Amazon SNS has been enumerated across multiple regions using a long-term access key with one of the following API calls:
With these API calls, an attacker can determine the account’s monthly spending limit and if the account is in a SMS sandbox. An attacker may target this service for the purpose of SMS phishing.
Triage and response
- Determine if the API call:
{{@evt.name}}
should have been made by the user: {{@userIdentity.arn}}
from this IP address: {{@network.client.ip}}
. - If the action is legitimate, consider including the user in a suppression list. See Best practices for creating detection rules with Datadog Cloud SIEM for more information.
- If the action shouldn’t have happened:
- Contact the user:
{{@userIdentity.arn}}
and see if they made the API call. - Use the Cloud SIEM - User Investigation dashboard to see if the user
{{@userIdentity.arn}}
has taken other actions. - Use the Cloud SIEM - IP Investigation dashboard to see if there’s more traffic from the IP
{{@network.client.ip}}
.
- If the results of the triage indicate that an attacker has taken the action, begin your company’s incident response process as well as an investigation.
Changelog
- 11 March 2024 - Reduced cardinality of threshold for high and medium severity signal.