/
aws_root_access_key_created.yml
114 lines (114 loc) · 3.5 KB
/
aws_root_access_key_created.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
AnalysisType: rule
Filename: aws_root_access_key_created.py
RuleID: "AWS.CloudTrail.RootAccessKeyCreated"
DisplayName: "Root Account Access Key Created"
Enabled: true
LogTypes:
- AWS.CloudTrail
Tags:
- AWS
- Identity and Access Management
- Persistence:Account Manipulation
Reports:
MITRE ATT&CK:
- TA0003:T1098
Severity: Critical
Description: An access key was created for the Root account
Runbook: >
Verify that the root access key was created for legitimate reasons. If not, immediately revoke it
and change the root login credentials. If it was created for legitimate reasons, monitor its use
and ensure it is revoked when its need is gone.
Reference: https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html
SummaryAttributes:
- userAgent
- sourceIpAddress
- recipientAccountId
- p_any_aws_arns
Tests:
- Name: Root Access Key Created
ExpectedResult: true
Log:
{
"awsRegion": "us-east-1",
"eventID": "1111",
"eventName": "CreateAccessKey",
"eventSource": "iam.amazonaws.com",
"eventTime": "2019-01-01T00:00:00Z",
"eventType": "AwsApiCall",
"eventVersion": "1.05",
"recipientAccountId": "123456789012",
"requestID": "1111",
"requestParameters": null,
"responseElements":
{
"accessKey":
{
"accessKeyId": "1111",
"createDate": "Jan 01, 2019 0:00:00 PM",
"status": "Active",
},
},
"sourceIPAddress": "111.111.111.111",
"userAgent": "signin.amazonaws.com",
"userIdentity":
{
"accessKeyId": "1111",
"accountId": "123456789012",
"arn": "arn:aws:iam::123456789012:root",
"invokedBy": "signin.amazonaws.com",
"principalId": "123456789012",
"sessionContext":
{
"attributes":
{
"creationDate": "2019-01-01T00:00:00Z",
"mfaAuthenticated": "true",
},
},
"type": "Root",
},
}
- Name: Root Created Access Key For User
ExpectedResult: false
Log:
{
"awsRegion": "us-east-1",
"eventID": "1111",
"eventName": "CreateAccessKey",
"eventSource": "iam.amazonaws.com",
"eventTime": "2019-01-01T00:00:00Z",
"eventType": "AwsApiCall",
"eventVersion": "1.05",
"recipientAccountId": "123456789012",
"requestID": "1111",
"requestParameters": { "userName": "example-user" },
"responseElements":
{
"accessKey":
{
"accessKeyId": "1111",
"createDate": "Jan 01, 2019 0:00:00 PM",
"status": "Active",
"userName": "example-user",
},
},
"sourceIPAddress": "111.111.111.111",
"userAgent": "signin.amazonaws.com",
"userIdentity":
{
"accessKeyId": "1111",
"accountId": "123456789012",
"arn": "arn:aws:iam::123456789012:root",
"invokedBy": "signin.amazonaws.com",
"principalId": "123456789012",
"sessionContext":
{
"attributes":
{
"creationDate": "2019-01-01T00:00:00Z",
"mfaAuthenticated": "true",
},
},
"type": "Root",
},
}