AWS CloudShell Environment Creation Detection
Detection of AWS CloudShell environment creation can indicate unauthorized command execution within AWS by an adversary leveraging a compromised console session to interact with AWS services.
AWS CloudShell provides command-line access to AWS resources directly from the AWS Management Console. The CreateEnvironment API is called when a user launches CloudShell for the first time or accesses CloudShell in a new AWS region. An adversary with compromised console access may use CloudShell to execute commands, install tools, or interact with AWS services without needing local CLI credentials. This can occur even if MFA is enabled for the account if the adversary has already bypassed that control. Monitoring CloudShell environment creation helps detect unauthorized usage from compromised console sessions and is an indicator of potential malicious activity within the AWS environment. The rule focuses on detecting the initial creation of the CloudShell environment via the CreateEnvironment API call.
Attack Chain
- An attacker gains unauthorized access to an AWS account through compromised credentials or a session hijack (T1078.004).
- The attacker logs into the AWS Management Console using the compromised account (TA0001).
- The attacker navigates to the CloudShell service within the AWS Management Console.
- Since CloudShell hasn't been used before in the AWS region, the
CreateEnvironmentAPI is invoked (T1059.009). - The attacker uses the CloudShell environment to execute commands and scripts to enumerate AWS resources.
- The attacker leverages the AWS CLI within CloudShell to create new IAM users or roles with elevated privileges.
- The attacker uses CloudShell to deploy malicious code or modify existing cloud resources (e.g., S3 buckets, EC2 instances).
- The attacker attempts to exfiltrate data or establish persistence within the AWS environment using the resources accessed and modified via CloudShell (TA0002).
Impact
A successful attack can lead to unauthorized access to AWS resources, data exfiltration, privilege escalation, and deployment of malicious code within the AWS environment. This can result in data breaches, service disruptions, and financial losses. While the severity is rated low, successful exploitation can lead to significant downstream impact. The impact is highly dependent on the permissions associated with the compromised account used to access CloudShell.
Recommendation
- Deploy the Sigma rule
AWS CloudShell Environment Createdto detect the initial creation of CloudShell environments in your AWS environment. - Review
aws.cloudtrail.user_identity.arnto identify the IAM principal that created the CloudShell environment. - Monitor CloudTrail logs for
CreateEnvironmentevents to identify unauthorized CloudShell usage. - Consider restricting CloudShell access via SCPs or IAM policies for sensitive accounts.
- Enable MFA for all console logins to reduce the risk of session compromise as mentioned in the overview.
- Investigate surrounding activity for any IAM operations after CloudShell was accessed, as outlined in the "Triage and analysis" section of the rule description.
Detection coverage 2
AWS CloudShell Environment Created
lowDetects the creation of a new AWS CloudShell environment, which can indicate unauthorized access and command execution within AWS infrastructure.
AWS CloudShell Activity Post Environment Creation
mediumDetects actions performed after a CloudShell environment is created, potentially indicating malicious activity.
Detection queries are available on the platform. Get full rules →