Skip to content
Threat Feed
medium advisory

First Time AWS CloudFormation Stack Creation

This rule detects the first time a principal calls AWS CloudFormation CreateStack or CreateStackInstances API, potentially indicating malicious resource deployment by an attacker with elevated privileges.

This detection identifies the initial use of AWS CloudFormation stack creation APIs within an AWS account. AWS CloudFormation allows users to define and provision infrastructure as code through template files. A compromised or malicious actor with sufficient permissions can leverage CloudFormation to deploy infrastructure resources, potentially for malicious purposes like establishing persistence, deploying crypto miners, or creating backdoors. This rule is designed to detect the first instance of CloudFormation stack creation by a specific user or role within an account, highlighting potentially anomalous behavior that warrants further investigation. This rule focuses on CreateStack and CreateStackInstances API calls.

Attack Chain

  1. An attacker gains access to an AWS account through compromised credentials or by exploiting a misconfigured IAM role.
  2. The attacker enumerates existing AWS resources and identifies potential targets for lateral movement or privilege escalation.
  3. The attacker leverages the compromised credentials or IAM role to call the CreateStack or CreateStackInstances API.
  4. The API call uses a CloudFormation template to define the resources to be created within the stack.
  5. The CloudFormation service provisions the resources defined in the template. These resources may include EC2 instances, Lambda functions, IAM roles, or other AWS services.
  6. The attacker uses the deployed resources to establish persistence within the AWS environment.
  7. The attacker performs reconnaissance and identifies sensitive data stored within the environment.
  8. The attacker exfiltrates the sensitive data from the AWS environment.

Impact

Successful exploitation could lead to unauthorized deployment of resources, privilege escalation, persistence within the AWS environment, and potential data exfiltration. This can result in financial loss, reputational damage, and legal ramifications. The number of victims depends on the scope of the compromised account and the resources deployed by the attacker. Targeted sectors could include any organization utilizing AWS CloudFormation for infrastructure management.

Recommendation

  • Deploy the Sigma rule "AWS CloudFormation Stack Creation by New Principal" to your SIEM and tune for your environment.
  • Investigate any alerts generated by the Sigma rule, focusing on the identity (aws.cloudtrail.user_identity.arn) and the CloudFormation template used (aws.cloudtrail.request_parameters).
  • Review and tighten IAM policies and permissions to adhere to the principle of least privilege, reducing the risk of exploitation.
  • Implement multi-factor authentication (MFA) for all IAM users to mitigate the risk of credential compromise.
  • Monitor CloudTrail logs (logs-aws.cloudtrail-*) for unusual API calls and resource creation events.

Detection coverage 2

AWS CloudFormation Stack Creation by New Principal

medium

Detects the first time a principal calls AWS CloudFormation CreateStack or CreateStackInstances API within an AWS account.

sigma tactics: execution techniques: T1651 sources: cloudtrail, aws

AWS CloudFormation Template Contains IAM Role Creation

medium

Detects CloudFormation templates that contain IAM role creation, which could indicate privilege escalation.

sigma tactics: privilege_escalation techniques: T1556.006 sources: cloudtrail, aws

Detection queries are available on the platform. Get full rules →