<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>AWS Identity and Access Management (IAM) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/aws-identity-and-access-management-iam/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sat, 20 Jul 2024 16:27:52 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/aws-identity-and-access-management-iam/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS IAM CompromisedKeyQuarantine Policy Attachment</title><link>https://feed.craftedsignal.io/briefs/2024-07-aws-compromised-key-quarantine/</link><pubDate>Sat, 20 Jul 2024 16:27:52 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-07-aws-compromised-key-quarantine/</guid><description>Detection of the AWS `CompromisedKeyQuarantine` policy being attached to an IAM user, indicating that AWS has flagged the user's credentials as compromised or publicly exposed, and is providing instructions via a support case for remediation.</description><content:encoded><![CDATA[<p>This detection identifies when the AWS-managed <code>CompromisedKeyQuarantine</code> or <code>CompromisedKeyQuarantineV2</code> policy is attached to an IAM user. This action is performed by AWS in response to identifying compromised or publicly exposed credentials associated with that user. The attachment of this policy restricts the user's ability to perform certain actions within the AWS environment. AWS typically accompanies this action with a support case that provides specific instructions for remediating the compromised credentials and restoring normal access. The rule is designed to alert security teams to this AWS-initiated quarantine so that they can investigate the root cause of the credential compromise and follow AWS's recommended remediation steps. This activity is flagged as high severity because it confirms active credential compromise impacting the cloud environment.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Credential Exposure:</strong> An IAM user's credentials (access key ID and secret access key) are exposed publicly, e.g., through a code repository, public forum, or misconfigured system.</li>
<li><strong>AWS Detection:</strong> AWS detects the exposed credentials through its monitoring systems.</li>
<li><strong>Policy Attachment:</strong> AWS uses the <code>AttachUserPolicy</code> API operation to attach the <code>CompromisedKeyQuarantine</code> or <code>CompromisedKeyQuarantineV2</code> AWS managed policy to the affected IAM user. This policy restricts the user's permissions.</li>
<li><strong>Support Case Creation:</strong> AWS creates a support case detailing the compromised credentials and providing instructions for remediation.</li>
<li><strong>Notification:</strong> The AWS account owner is notified of the support case and the attached quarantine policy.</li>
<li><strong>Investigation:</strong> The security team investigates the root cause of the credential exposure.</li>
<li><strong>Remediation:</strong> Following the instructions in the support case, the security team disables or rotates the compromised credentials.</li>
<li><strong>Policy Removal:</strong> After the compromised credentials have been addressed, the security team detaches the quarantine policy.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The attachment of the <code>CompromisedKeyQuarantine</code> policy by AWS indicates a significant security event. The user's access to AWS resources is immediately restricted, potentially disrupting legitimate operations. While AWS initiates this quarantine to prevent further damage, the underlying credential compromise could have allowed unauthorized access to sensitive data or resources prior to the quarantine. Successful exploitation prior to detection and remediation could lead to data breaches, resource hijacking, or other malicious activities. The number of affected users and the extent of the potential damage depend on the scope of access granted to the compromised IAM user.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule to detect the attachment of the <code>CompromisedKeyQuarantine</code> policy via the <code>AttachUserPolicy</code> API call in CloudTrail logs to quickly identify compromised IAM user accounts.</li>
<li>Review the <code>aws.cloudtrail.request_parameters</code> field in the CloudTrail logs to identify the specific <code>userName</code> that has been quarantined (as referenced in the &quot;Investigating AWS IAM CompromisedKeyQuarantine Policy Attached to User&quot; section) and correlate with any AWS support cases.</li>
<li>Follow the instructions provided in the AWS support case, prioritizing credential rotation or revocation to prevent further unauthorized access.</li>
<li>Review and update policies on credential storage to prevent public exposure, as highlighted in the &quot;Policy Update&quot; remediation step, referencing the AWS IAM User Guide.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">threat</category><category>credential-access</category><category>cloud</category><category>aws</category></item><item><title>AWS KMS Key User Performing S3 Encryption Detection</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-aws-kms-s3-encryption/</link><pubDate>Tue, 09 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-aws-kms-s3-encryption/</guid><description>Detection of AWS users utilizing KMS keys to perform encryption operations on S3 buckets, indicating potential misuse or malicious activity within the cloud environment.</description><content:encoded><![CDATA[<p>This brief focuses on detecting potentially malicious or unauthorized use of AWS Key Management Service (KMS) keys to encrypt data stored in Simple Storage Service (S3) buckets. The detection logic is based on identifying AWS CloudTrail logs indicating encryption operations performed by users who possess KMS keys. While the provided source material does not specify a particular threat actor or campaign, the ability to monitor and detect such activity is crucial for identifying insider threats, compromised accounts, or misconfigured permissions that could lead to data breaches or unauthorized access. This detection capability is a part of the Splunk Enterprise Security Content Update (ESCU) project and allows security teams to quickly identify potentially suspicious activity in their AWS environments.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains unauthorized access to an AWS account, potentially through compromised credentials or misconfigured IAM roles.</li>
<li>The attacker identifies S3 buckets containing sensitive data.</li>
<li>The attacker discovers KMS keys with permissions to encrypt data in the target S3 buckets.</li>
<li>The attacker uses the KMS keys to encrypt existing objects in the S3 bucket or encrypts new objects as they are uploaded.</li>
<li>The encryption operation is logged in AWS CloudTrail.</li>
<li>A detection rule identifies the user utilizing KMS keys for S3 encryption based on CloudTrail logs.</li>
<li>Security analysts investigate the activity to determine if it is legitimate or malicious.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful unauthorized encryption of S3 buckets using KMS keys can lead to data unavailability, data breaches, and compliance violations. A malicious actor could encrypt data and demand ransom for decryption keys, or they could encrypt data to hide their activities or disrupt services. The number of affected buckets and the sensitivity of the data they contain will determine the scope of the impact. Failure to detect and respond to this type of activity can result in significant financial losses, reputational damage, and legal consequences.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Implement the Sigma rule <code>Detect AWS KMS Key User Performing S3 Encryption</code> to identify users with KMS keys performing encryption operations on S3 buckets based on CloudTrail logs.</li>
<li>Enable AWS CloudTrail logging for all regions in your AWS environment to ensure comprehensive monitoring of API activity.</li>
<li>Regularly review IAM policies and KMS key policies to ensure that permissions are appropriately restricted.</li>
<li>Investigate any alerts generated by the Sigma rule to determine the legitimacy of the encryption activity.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>kms</category><category>s3</category><category>encryption</category></item><item><title>AWS IAM API Calls via Temporary Session Tokens</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-aws-iam-session-token-abuse/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-aws-iam-session-token-abuse/</guid><description>Detection of AWS IAM API operations using temporary session credentials, indicating potential credential theft, session hijacking, or privileged role abuse for persistence and defense evasion.</description><content:encoded><![CDATA[<p>This threat brief focuses on detecting the abuse of temporary session tokens within AWS environments. Temporary session tokens, identified by access key IDs starting with &quot;ASIA,&quot; are commonly issued via sts:GetSessionToken, sts:AssumeRole, or AWS SSO logins. While legitimate for short-term use, their use for privileged IAM actions like creating users, updating policies, or modifying trust relationships is unusual and indicative of malicious activity. Attackers might leverage compromised IAM users or roles to obtain these session tokens and perform unauthorized actions, aiming for persistence, privilege escalation, or defense evasion. This detection excludes console login sessions to reduce false positives, focusing on programmatic abuse.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker compromises an IAM user or role within an AWS environment.</li>
<li>The attacker uses the compromised credentials to request a temporary session token via sts:GetSessionToken or sts:AssumeRole.</li>
<li>The attacker authenticates to the AWS API using the temporary session token (access key ID starting with ASIA).</li>
<li>The attacker attempts to create a new IAM user using the CreateUser API call.</li>
<li>The attacker attempts to modify an existing IAM user's policy using the PutUserPolicy API call.</li>
<li>The attacker attempts to update the AssumeRolePolicy associated with an IAM role.</li>
<li>The attacker may also attempt to modify CloudTrail or GuardDuty configurations for defense evasion.</li>
<li>The attacker achieves persistence by creating new administrative users or roles, or by modifying existing permission policies.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can allow attackers to establish persistent access within the AWS environment, escalate privileges to gain broader control, and evade detection by modifying security configurations. The impact includes unauthorized access to sensitive data, potential data breaches, and disruption of cloud services. While the specific number of victims or sectors targeted is unknown, organizations heavily reliant on AWS infrastructure are most at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the <code>AWS IAM API Calls via Temporary Session Tokens</code> rule to detect suspicious API calls made with temporary session tokens. Tune the rule based on expected usage patterns within your environment.</li>
<li>Investigate all alerts generated by the rule, focusing on actions that modify IAM roles, user policies, and trust relationships, as described in the rule's <code>investigation_fields</code>.</li>
<li>Enforce MFA for all privileged IAM actions using <code>aws:MultiFactorAuthPresent</code> conditions to mitigate the risk of session token abuse, as mentioned in the rule's <code>note</code>.</li>
<li>Implement detection coverage for follow-on persistence actions such as <code>iam:CreateAccessKey</code>, <code>iam:PutUserPolicy</code>, and <code>iam:UpdateAssumeRolePolicy</code>, as recommended in the rule's <code>note</code>.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>iam</category><category>session-token</category><category>persistence</category><category>privilege-escalation</category></item><item><title>AWS IAM Group Creation for Persistence</title><link>https://feed.craftedsignal.io/briefs/2024-01-aws-iam-group-creation/</link><pubDate>Wed, 03 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-aws-iam-group-creation/</guid><description>An adversary with compromised IAM write privileges creates a new group in AWS IAM and grants it excessive permissions to establish a persistence mechanism.</description><content:encoded><![CDATA[<p>This threat brief focuses on the malicious creation of AWS IAM groups as a persistence mechanism. An attacker who has gained unauthorized access to an AWS account, specifically with IAM write privileges, might create a new IAM group. This new group is then configured with highly permissive policies, such as AdministratorAccess, or policies allowing broad access to resources such as S3 buckets or other IAM resources.  The adversary can then add users or roles to this newly created group, granting them the inherited, elevated privileges.  This activity is logged as a <code>CreateGroup</code> event within AWS CloudTrail. This technique allows the attacker to quietly maintain access to the AWS environment, even if the initially compromised credentials are revoked. The Elastic detection rule &quot;AWS IAM Group Creation,&quot; last updated on April 10, 2026, aims to identify this activity.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Initial compromise of AWS credentials with IAM write privileges (e.g., via phishing, credential stuffing).</li>
<li>The attacker authenticates to the AWS environment using the compromised credentials.</li>
<li>The attacker executes the <code>CreateGroup</code> API call via the AWS CLI or AWS Management Console to create a new IAM group.</li>
<li>The attacker uses the <code>AttachGroupPolicy</code> API call to attach a highly permissive policy (e.g., AdministratorAccess) to the newly created IAM group.</li>
<li>The attacker uses the <code>AddUserToGroup</code> API call to add existing IAM users or roles to the newly created IAM group, granting them elevated privileges.</li>
<li>The attacker uses the newly gained privileges to access resources, modify configurations, or exfiltrate data.</li>
<li>The attacker maintains persistent access by utilizing the added users/roles even if initial credentials are revoked.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack can lead to a significant breach of confidentiality, integrity, and availability. An attacker with persistent, high-privilege access can modify critical infrastructure, steal sensitive data, or disrupt services. While the number of direct victims isn't specified in this source, the impact can range from a single compromised AWS account to widespread disruption across multiple organizations relying on the compromised AWS services. The severity depends on the level of access granted to the malicious group and the value of the resources accessible through that group.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule to your SIEM to detect anomalous IAM group creation events.</li>
<li>Investigate any <code>CreateGroup</code> events, especially when followed by <code>AttachGroupPolicy</code> or <code>AddUserToGroup</code> events within a short timeframe (see &quot;AWS IAM Group Creation&quot; rule and investigation guide).</li>
<li>Monitor CloudTrail logs for <code>CreateGroup</code> events and correlate them with other IAM activity to identify suspicious patterns (refer to the <code>aws.cloudtrail.user_identity.arn</code> and related fields described in the provided documentation).</li>
<li>Implement the principle of least privilege, restricting who can call <code>iam:CreateGroup</code>, <code>iam:AttachGroupPolicy</code>, and <code>iam:AddUserToGroup</code> (as mentioned in the remediation steps).</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>aws</category><category>iam</category><category>persistence</category><category>cloud</category></item><item><title>AWS Management Console Root Login Detected</title><link>https://feed.craftedsignal.io/briefs/2024-01-aws-root-login/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-aws-root-login/</guid><description>Detection of a successful AWS Management Console login by the Root user, which is an original identity with unrestricted privileges, indicates a potential security breach requiring immediate investigation.</description><content:encoded><![CDATA[<p>The AWS root user possesses unrestricted privileges over all resources within an AWS account, bypassing IAM boundaries. AWS recommends that the root user should not be used for everyday tasks including administrative ones, and root credentials should be locked away for very specific account-level administrative actions. This rule detects successful AWS Management Console logins by the root user (<code>ConsoleLogin</code> events with <code>userIdentity.type: Root</code> and <code>event.outcome: Success</code>). The login event is sourced from AWS CloudTrail logs, providing detailed information about the source IP, user agent, and geolocation of the login attempt. Identifying these logins is critical for maintaining the security and integrity of the AWS environment, as unauthorized access can lead to significant data breaches and system compromises.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains unauthorized access to the AWS root user credentials, potentially through phishing, credential stuffing, or leaked credentials.</li>
<li>The attacker uses the compromised root credentials to authenticate to the AWS Management Console.</li>
<li>AWS CloudTrail logs the successful <code>ConsoleLogin</code> event, including the <code>userIdentity.type: Root</code> and <code>event.outcome: Success</code>.</li>
<li>The attacker leverages the root user privileges to create new IAM users or roles with elevated permissions, establishing persistence within the AWS environment.</li>
<li>The attacker modifies security policies, such as attaching roles or putting bucket policies, to further escalate privileges and gain access to sensitive resources.</li>
<li>The attacker disables or deletes CloudTrail trails and Security Hub findings suppression in order to cover their tracks.</li>
<li>The attacker accesses and exfiltrates sensitive data stored in S3 buckets or other AWS services.</li>
<li>The attacker may attempt to further compromise other AWS accounts or resources by leveraging the compromised root credentials.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful compromise of the AWS root user can lead to complete control over the AWS account, resulting in data breaches, financial losses, and reputational damage. The attacker can access and exfiltrate sensitive data, modify or delete critical resources, and disrupt business operations. The severity of the impact depends on the scope of the attacker's actions and the sensitivity of the data stored in the AWS environment. Because the root user has unrestricted privileges, the potential for damage is very high.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;AWS Management Console Root Login&quot; to your SIEM using AWS CloudTrail logs to detect successful root user logins.</li>
<li>Enable multi-factor authentication (MFA) for the root user account and enforce its usage.</li>
<li>Monitor the <code>source.ip</code> field in CloudTrail logs for root logins and investigate any unfamiliar IP addresses or locations.</li>
<li>Review AWS Identity and Access Management (IAM) configurations to ensure that the root user account is not being used for routine tasks and that appropriate least privilege principles are followed.</li>
<li>Investigate follow-on actions in CloudTrail logs immediately after root login events, such as the creation of new IAM users, roles, or policies.</li>
<li>Implement automated alerts for any future <code>userIdentity.type: Root</code> logins to ensure real-time detection and response.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>initial-access</category></item></channel></rss>