AWS CloudShell Environment Created
The creation of a new AWS CloudShell environment is detected, potentially indicating unauthorized access for command execution within AWS by adversaries without needing local CLI credentials.
This detection identifies the creation of a new AWS CloudShell environment. CloudShell is a browser-based shell providing command-line access to AWS resources directly from the AWS Management Console. The CreateEnvironment API is called when a user launches CloudShell for the first time or when accessing CloudShell in a new AWS region. Adversaries with console access may abuse CloudShell to execute commands, install tools, or interact with AWS services without needing local CLI credentials. This is especially useful if the attacker is already authenticated into the AWS Console. Monitoring environment creation helps detect unauthorized CloudShell usage stemming from compromised console sessions.
Attack Chain
- An attacker compromises AWS console credentials through methods such as phishing or credential stuffing.
- The attacker logs into the AWS Management Console.
- The attacker navigates to the CloudShell service.
- The
CreateEnvironmentAPI is invoked as the attacker launches CloudShell for the first time in a region. - The attacker executes commands within the CloudShell environment to enumerate AWS resources (e.g., using
aws s3 ls). - The attacker attempts to escalate privileges by exploiting misconfigurations or vulnerabilities.
- The attacker uses CloudShell to interact with other AWS services, potentially deploying malicious infrastructure or exfiltrating data.
- The attacker establishes persistence within the AWS environment through methods like creating new IAM users or roles with elevated permissions.
Impact
Successful exploitation via CloudShell can lead to unauthorized access to AWS resources, data exfiltration, and deployment of malicious infrastructure. While the source material does not specify a number of victims, the impact can range from minor data breaches to significant disruptions of AWS-hosted services, depending on the permissions of the compromised account and the attacker's objectives. Even with MFA enabled, sufficiently sophisticated attackers might bypass these protections.
Recommendation
- Deploy the Sigma rule "AWS CloudShell Environment Created" to your SIEM using
event.dataset: "aws.cloudtrail" and event.provider: "cloudshell.amazonaws.com" and event.action: "CreateEnvironment"to detect initial environment creation. - Correlate CloudShell creation events with preceding
ConsoleLoginevents by reviewingsource.ipanduser_agent.originalto investigate session origin and login context. - Restrict CloudShell access using Service Control Policies (SCPs) or IAM policies for accounts that do not require it, as mentioned in the overview, to limit the attack surface.
Detection coverage 2
AWS CloudShell Environment Created
lowDetects the creation of a new AWS CloudShell environment.
AWS CloudShell Execution via Cloud API
mediumDetects command execution via Cloud API in AWS CloudShell
Detection queries are available on the platform. Get full rules →