このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect when an AMI is made public.
Strategy
This rule lets you monitor these CloudTrail API calls to detect if an AMI is made public.
This rule inspects the @requestParameters.launchPermission.add.items.group
array to determine if the string all
is contained. This is the indicator which means the image is made public.
Triage and response
- Determine if the AMI (
@requestParameters.imageId
) should be made public using CloudTrail logs. - Investigate the following ARN (
{{@userIdentity.arn}}
) that made the AMI public. - Contact the user to see if they intended to make the image public.
- If the user did not make the API call:
- Rotate the credentials.
- Investigate if the same credentials made other unauthorized API calls.
- Revert AMI permissions to the original state.
- Begin your company’s IR process and investigate.
Changelog
11 November 2022 - Add steps to Triage and response section.