Classification:

compliance

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

Framework:

cis-aws

Control:

4.10

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detect when an AWS security group is opened to the world on a port commonly associated with a database service.

Strategy

Monitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:

• AuthorizeSecurityGroupIngress

This rule inspects the @requestParameters.ipPermissions.items.ipRanges.items.cidrIp or @requestParameters.cidrIp array to determine if either of the strings are contained - 0.0.0.0/0 or ::/0 for the following ports:

• 1433 (MSSQL)
• 3306 (MySQL)
• 5432 (PostgresSQL)
• 5984/6984 (CouchDB)
• 6379 (Redis)
• 9200 (Elasticsearch)
• 27017 (MongoDB)

Database ports that are open to the world are a common target for attackers to gain unauthorized access to resources or data.

Note: A separate rule to detect AWS Security Group Open to the World.

Triage and response

1. Determine if {{@userIdentity.session_name}} should have made a {{@evt.name}} API call.
2. If the API call was not made by the user:

• Rotate the user credentials.
• Determine what other API calls were made by the user.
• Investigate VPC flow logs and OS system logs to determine if unauthorized access occurred.

3. If the API call was made legitimately by the user:

• Advise the user to modify the IP range to the company private network or bastion host.

4. Revert security group configuration back to known good state if required:

• Use the aws-cli command revoke-security-group-ingress or the AWS console to remove the rule.
• Use the aws-cli command modify-security-group-rules or AWS console to modify the existing rule.

Changelog

15 December 2022 - Updated rule query and severity.