Skip to content
Threat Feed
low advisory

AWS SNS Topic Created by Rare User

An AWS SNS topic was created by a user who does not typically perform this action, potentially indicating resource development for data exfiltration or other malicious activities.

This detection identifies when an AWS Simple Notification Service (SNS) topic is created by a user or role that doesn't typically perform this action. Adversaries might create SNS topics to stage capabilities for data exfiltration, lateral movement, or other malicious activities within the AWS environment. This detection leverages a "New Terms" rule, specifically designed to flag the initial occurrence of this behavior for a given user or role within an AWS account. The rule focuses on identifying anomalous SNS topic creation events, providing an early warning signal for potentially malicious activity related to resource development within AWS. It is triggered by the CreateTopic event in AWS CloudTrail logs, ensuring comprehensive coverage of SNS topic creation attempts.

Attack Chain

  1. An attacker gains initial access to an AWS account, potentially through compromised credentials or an exposed IAM role. (T1566)
  2. The attacker attempts to create a new SNS topic using the AWS CLI, SDK, or Console. The CreateTopic API call is made.
  3. The CreateTopic request includes parameters such as the topic name, display name, and other attributes related to the SNS topic configuration.
  4. AWS CloudTrail logs the CreateTopic event, capturing details such as the user identity (ARN, type, access key ID), source IP, user agent, and request parameters.
  5. The "New Terms" rule analyzes the CloudTrail logs and identifies that the user or role creating the SNS topic has not previously performed this action within the observed timeframe.
  6. The newly created SNS topic can be used by the attacker to subscribe to events and receive notifications about activities within the AWS environment. (T1496)
  7. The attacker can then configure the SNS topic to trigger Lambda functions or S3 events, which allows persistence in the environment.
  8. Ultimately, the adversary may use the SNS topic for data exfiltration, lateral movement, or other malicious purposes, leveraging the messaging capabilities of SNS.

Impact

Successful exploitation allows attackers to stage capabilities within the AWS environment. While creating an SNS topic is not inherently malicious, it can be a precursor to more serious attacks. Depending on the subsequent actions taken by the attacker, this could lead to data exfiltration, resource hijacking, or other forms of impact within the AWS infrastructure. The severity depends on the scope of access available to the compromised user or role and the configurations of the newly created SNS topic.

Recommendation

  • Deploy the Sigma rule provided in this brief to your SIEM and tune for your environment to detect unusual SNS topic creation activities (see rule: "AWS SNS Topic Created by Rare User").
  • Investigate any alerts generated by the Sigma rule, focusing on the user identity, source IP, and request parameters associated with the SNS topic creation event.
  • Monitor for further SNS modifications, such as Publish or Subscribe events, following the initial topic creation event (see Overview).
  • Enforce least privilege IAM policies and enable multi-factor authentication (MFA) to reduce the risk of unauthorized access to AWS resources (see Overview).

Detection coverage 2

AWS SNS Topic Created by Rare User

low

Detects the creation of an AWS SNS topic by a user who does not typically perform this action.

sigma tactics: impact, resource_development techniques: T1608 sources: cloudtrail, aws

AWS SNS Topic Creation with Suspicious Name

medium

Detects the creation of an AWS SNS topic with a suspicious or random-looking name.

sigma tactics: impact, resource_development techniques: T1608 sources: cloudtrail, aws

Detection queries are available on the platform. Get full rules →