Cloudtrail

Detects successful AWS AssumeRoleWithWebIdentity where the caller identity is a Kubernetes service account and the source autonomous system organization is not Amazon.com, Inc., potentially indicating a stolen or misused service-account token being used off-cluster.

An AWS principal rapidly enumerates S3 bucket posture using read-only APIs, indicative of reconnaissance, scanning, or post-compromise activity.

This rule detects when a single AWS identity executes more than five unique discovery-related API calls (Describe*, List*, Get*, or Generate*) within a 10-second window using the AWS CLI, potentially indicating reconnaissance activity following credential compromise or compromised EC2 instance access.

The import of SSH key pairs into AWS EC2, as detected by CloudTrail logs, may indicate unauthorized access attempts, persistence establishment, or privilege escalation by an attacker.

An adversary may delete an AWS SAML provider to disrupt administrative access, hindering incident response and potentially escalating privileges within the AWS environment.

This rule detects AWS identities with API traffic dominated by cloud-provider source AS organization labels, but also exhibit traffic from other AS organizations, potentially indicating credential reuse or pivoting.

An AWS IAM policy is created by the S3Browser utility with the default S3 bucket name placeholder, potentially indicating unauthorized access or misconfiguration.

Successful AWS console logins without multi-factor authentication can indicate compromised credentials, misconfigured security settings, or unauthorized access attempts.

This rule identifies suspicious SAML activity in AWS, such as AssumeRoleWithSAML and UpdateSAMLProvider events, which could indicate an attacker gaining backdoor access, escalating privileges, or establishing persistence.

Attackers may delete or disable AWS GuardDuty detectors to impair defenses and evade detection of malicious activities within the AWS environment.

Detection of adversaries attempting to impair or disable AWS security services by deleting resources across GuardDuty, AWS WAF, CloudWatch, Route 53, and CloudWatch Logs to evade detection and remove visibility.

Detection of deletion of critical AWS Security Services configurations like CloudWatch alarms, GuardDuty detectors, and Web Application Firewall rules to evade detection, potentially leading to data breaches and unauthorized access.

Attackers may attempt to evade detection by altering CloudTrail logging configurations, such as changing multi-regional logging to a single region, which impairs the logging of their activities and hinders incident response.

Detection of AWS CloudTrail `StopLogging` events indicating potential defense evasion by adversaries attempting to operate undetected within a compromised AWS environment by halting the logging of their malicious activities.

Detection of AWS CloudTrail StopLogging events indicates a potential defense evasion attempt by an attacker to operate stealthily within a compromised AWS environment and hinder incident response.

Attackers modify AWS CloudTrail settings using UpdateTrail events to evade detection by disabling or limiting logging, as indicated by non-console user agents.

Detection of attempts to delete AWS Bedrock model invocation logging configurations, potentially indicating an adversary trying to remove audit trails of model interactions after credential compromise, to hide malicious AI model usage.

Detects successful AWS `AssumeRoleWithWebIdentity` calls where the caller identity is a Kubernetes service account and the source autonomous system organization is not `Amazon.com, Inc.`, which may indicate a stolen or misused projected service-account token being exchanged for IAM credentials off-cluster.

Attackers may abuse the AWS S3 PutBucketLifecycle API to rapidly delete CloudTrail logs by setting short expiration periods on S3 buckets, hindering incident response and forensic investigations.

An adversary may delete AWS CloudTrail logs to evade detection and operate stealthily within a compromised environment, using the `DeleteTrail` event while excluding actions from the AWS console.

An attacker modifies an AWS S3 bucket lifecycle policy to rapidly expire CloudTrail logs, hindering incident response and forensic analysis.

Detection of AWS Bedrock GuardRails deletion, which are security controls to prevent harmful AI outputs, could indicate an adversary attempting to remove safety measures after credential compromise to enable malicious model outputs.