Amazon SNS enumeration in multiple regions using a long-term access key
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect when the Amazon Simple Notification Service (SNS) is enumerated across multiple regions using a long-term access key.
Strategy
Monitor CloudTrail and detect when the Amazon SNS has been enumerated across multiple regions using a long-term access key with one of the following API calls:
With these API calls, an attacker can determine the account’s monthly spending limit and if the account is in a SMS sandbox. An attacker may target this service for the purpose of SMS phishing.
Triage and response
- Determine if the API call:
{{@evt.name}}
should have been made by the user: {{@userIdentity.arn}}
from this IP address: {{@network.client.ip}}
. - If the action is legitimate, consider including the user in a suppression list. See Best practices for creating detection rules with Datadog Cloud SIEM for more information.
- If the action shouldn’t have happened:
- Contact the user:
{{@userIdentity.arn}}
and see if they made the API call. - Use the Cloud SIEM - User Investigation dashboard to see if the user
{{@userIdentity.arn}}
has taken other actions. - Use the Cloud SIEM - IP Investigation dashboard to see if there’s more traffic from the IP
{{@network.client.ip}}
.
- If the results of the triage indicate that an attacker has taken the action, begin your company’s incident response process as well as an investigation.
Changelog
- 11 March 2024 - Reduced cardinality of threshold for high and medium severity signal.