AWS IAM Roles Anywhere trust anchor created
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect when an IAM Roles Anywhere trust anchor is created.
Strategy
This rule monitors CloudTrail logs for CreateTrustAnchor
API calls. An attacker may attempt to establish persistence by creating an IAM Roles Anywhere trust anchor. The IAM Roles Anywhere service allows workloads that do not run in AWS to assume roles by presenting a client-side X.509 certificate signed by a trusted certificate authority, called a “trust anchor”.
Triage & response
- Determine if the API call:
{{@evt.name}}
should have been performed by the user: {{@userIdentity.arn}}
:- Contact the user to confirm if they made the API call.
- If the API call was not made by the user:
- Rotate the user credentials.
- Determine what actions the user took and which new access keys the user created.
- Begin your organization’s incident response process and investigate.
- If the API call was made legitimately by the user:
- Confirm if an IAM Roles Anywhere trust anchor is the proper authentication mechanism for the resource.