Skip to content
Threat Feed
medium advisory

AWS IAM AccessDenied Discovery Events

Detection of excessive AccessDenied events within an hour for AWS IAM users, indicating a potential compromised access key used for unauthorized discovery actions.

This analytic focuses on identifying anomalous behavior within AWS environments where IAM users are generating a high number of AccessDenied errors. Specifically, it looks for a surge in these errors occurring within a one-hour window, originating from the same source IP and user identity. The underlying data source is AWS CloudTrail logs. This activity is potentially indicative of a compromised access key being leveraged to perform unauthorized discovery actions. Attackers may attempt to enumerate resources, policies, or other sensitive information within the AWS environment in order to escalate privileges or identify valuable targets for further exploitation. The detection logic aims to identify instances where the number of failures reaches a threshold that is unlikely to occur during normal operations. The Splunk AWS Add-on and Splunk App for AWS are required to ingest and parse the CloudTrail data.

Attack Chain

  1. The attacker gains unauthorized access to an AWS IAM access key, possibly through credential theft or exposed secrets.
  2. The attacker uses the compromised access key to make API requests to AWS services.
  3. The attacker attempts to enumerate AWS resources, such as EC2 instances, S3 buckets, or IAM roles, without having the necessary permissions.
  4. AWS CloudTrail logs record the AccessDenied errors generated by the unauthorized API requests. The errors include information about the user, source IP, attempted actions, and AWS services.
  5. The attacker iterates through different AWS API calls and resource types to map out the organization's cloud infrastructure and identify potential targets.
  6. The detection identifies IAM users generating excessive AccessDenied errors from the same source IP address within an hour.
  7. If successful, the attacker gains insights into the AWS environment, enabling them to identify misconfigurations, vulnerabilities, and potential targets for further exploitation.
  8. The attacker uses gathered information to move laterally, escalate privileges, or exfiltrate data.

Impact

A successful attack of this nature can result in significant data breaches, service disruptions, and financial losses. Attackers can leverage discovered vulnerabilities to compromise sensitive data stored in S3 buckets or other AWS services. Unauthorized access to IAM roles and policies could lead to privilege escalation and the ability to control critical infrastructure. The number of potential victims is vast, as many organizations rely on AWS for their cloud infrastructure. The targeted sectors are diverse, ranging from finance and healthcare to technology and government.

Recommendation

  • Deploy the provided Sigma rule to your SIEM and tune the failures threshold based on your environment's baseline activity to minimize false positives.
  • Investigate any alerts generated by the Sigma rule, focusing on identifying the root cause of the AccessDenied errors and whether the involved IAM user or access key has been compromised.
  • Enable and review AWS CloudTrail logs to capture all API activity within your AWS environment, as specified in the data source requirements.
  • Implement multi-factor authentication (MFA) for all IAM users to reduce the risk of credential compromise.
  • Utilize IAM roles with the principle of least privilege to minimize the impact of compromised access keys.

Detection coverage 2

AWS IAM Excessive AccessDenied Errors

medium

Detects an IAM user generating an excessive number of AccessDenied errors within a short timeframe, potentially indicating a compromised access key.

sigma tactics: discovery techniques: T1580 sources: cloudtrail, aws

AWS IAM AccessDenied from Unusual User Agent

low

Detects AccessDenied errors associated with unusual user agents, which may indicate the use of malicious tools or scripts.

sigma tactics: discovery techniques: T1580 sources: cloudtrail, aws

Detection queries are available on the platform. Get full rules →