As enterprises increasingly rely on cloud infrastructure, maintaining the security of these ecosystems is crucial. Given the continued dominance of AWS (Amazon Web Services) in the cloud space, it is imperative for security experts to understand where to search for signals of compromise. AWS CloudTrail emerges as a vital resource for tracking and recording API activity, furnishing a comprehensive log of actions carried out within an AWS account. Consider AWS CloudTrail akin to an audit or event log for all API requests executed in your AWS account. Vigilantly monitoring these logs is essential for security professionals, especially in uncovering potential illicit breaches, such as those facilitated by stolen API keys. These methodologies, among others that I have gleaned from my experiences with AWS incidents and incorporated into SANS FOR509, Enterprise Cloud Forensics.
1. Peculiar API Calls and Entry Patterns
A. Abrupt Surge in API Requests
One of the initial indicators of a possible security infringement is an unforeseen uptick in API requests. CloudTrail meticulously logs every API call conducted within your AWS account, including the caller details, timestamp, and source. An adversary armed with purloined API keys might trigger a substantial volume of requests within a brief timeframe, either to explore the account for data or endeavor to exploit specific services.
Observations to Be On The Lookout For:
- An abrupt, atypical escalation in API activities.
- API requests from atypical IP addresses, particularly from regions where authentic users do not typically operate.
- Entry attempts to a broad array of services, especially those that are uncommonly utilized by your organization.
B. Unauthorized Utilization of Root Account
AWS strongly advises against using the root account for everyday tasks due to its elevated privileges. Any access to the root account, particularly if associated API keys are employed, serves as a major warning sign.
Behaviors to Keep an Eye On:
- API calls executed with root account credentials, particularly if the root account is not conventionally operated.
- Alterations to account-level configurations, such as adjustments to billing particulars or account settings.
2. Irregular IAM Operations
A. Dubious Generation of Access Keys
- API calls tied to ‘CreateAccessKey,’ ‘ListAccessKeys,’ and ‘UpdateAccessKey.’;
C. Role Assumption Trends
3. Atypical Data Retrieval and Transfer
A. Uncommon S3 Bucket Access
B. Data Extraction Endeavors
4. Unanticipated Security Group Adjustments
5. Measures for Mitigating the Risk of Stolen API Keys
A. Enforce the Principle of Minimum Privileges
B. Deploy Multi-Factor Authentication (MFA)
C. Routinely Rotate and Audit Access Keys
D. Activate and Supervise CloudTrail and GuardDuty
Confirm that CloudTrail is activated in all regions and that logs are centralized for examination. AWS GuardDuty can also offer real-time monitoring for malicious behavior, providing an additional layer of defense against compromised credentials. Consider leveraging AWS Detective for additional intelligence based on the discoveries.
E. Employ AWS Config for Compliance Surveillance
AWS Config can be utilized to oversee compliance with security best practices, which includes the appropriate utilization of IAM policies and security groups. This solution can aid in identifying misconfigurations that could potentially expose your account to security threats.
Summary
The security of your AWS environment relies on diligent monitoring and timely detection of irregularities within CloudTrail logs. By comprehending the typical usage patterns and remaining vigilant for deviations from these patterns, security experts can identify and act on potential breaches, such as those related to stolen API keys, before they result in significant harm. As cloud environments progress, maintaining a proactive security posture is crucial for safeguarding sensitive data and upholding the integrity of your AWS infrastructure. For further insights on identifying intrusion signs in AWS, as well as Microsoft and Google clouds, you may be interested in attending my workshop FOR509 happening at SANS Cyber Defense Initiative 2024. Visit for509.com to find out more.
About Author
