As cloud infrastructure becomes the backbone of modern businesses, ensuring the security of these environments is paramount. With AWS (Amazon Web Services) still the dominant cloud, it is important for any security professional to know where to look for signs of compromise. AWS CloudTrail is an essential tool for tracking and logging API activity, providing a comprehensive record of actions performed within an AWS account. Think of AWS CloudTrail like an audit or event log for all API calls made in your AWS account. For security professionals, monitoring these logs is critical, especially when it comes to detecting potentially unauthorized access, such as through stolen API keys. I learned these and many other techniques through the incidents I worked on at AWS and we built them into SANS FOR509, Enterprise Cloud Forensics.
1. Unusual API calls and access patterns
A. Sudden increase in API requests
One of the first signs of a potential security breach is an unexpected increase in API requests. CloudTrail logs every API call made within your AWS account, including who made the call, when it was made, and from where. An attacker with stolen API keys could initiate a large number of requests in a short period of time, either to mine the account for information or to try to exploit specific services.
What to look for:
- A sudden, atypical increase in API activity.
- API calls from unusual IP addresses, especially from regions where legitimate users are not active.
- Attempts to access a variety of services, especially if they are not normally used by your organization.
Note that the security service (if enabled) will automatically flag such events, but you must be alert to detect them.
B. Unauthorized use of the root account
AWS strongly recommends avoiding using the root account for day-to-day operations due to its high privileges. Any access to the root account, especially when using API keys associated with it, is a clear red flag.
What to look for:
- API calls made using the root account credentials, especially when the root account is not normally used.
- Changes to account-level settings, such as changing billing information or account configurations.
2. Anomalous IAM activity
A. Suspicious creation of access keys
Attackers can create new access keys to gain persistent access to the compromised account. Monitoring CloudTrail logs for the creation of new access keys is critical, especially when these keys are created for accounts that do not normally need them.
What to look for:
- Creating new access keys for IAM users, especially for those who have not needed them before.
- Immediate use of newly created access keys, which could indicate that an attacker is testing or using these keys.
- API calls related to “CreateAccessKey”, “ListAccessKeys” and “UpdateAccessKey”.
C. Role-taking patterns
AWS allows users to assume roles and grant them temporary credentials for specific tasks. Monitoring unusual role assumption patterns is critical, as an attacker could assume roles to move within the environment.
What to look for:
- Unusual or frequent AssumeRole API calls, especially to roles with elevated privileges.
- Role assumptions from IP addresses or regions not normally associated with your legitimate users.
- Assumption of roles that result in actions that are inconsistent with normal business operations.
3. Anomalous data access and movement
A. Unusual S3 bucket access
Amazon S3 is often a target for attackers because it can store large amounts of potentially sensitive data. Monitoring CloudTrail for unusual access to S3 buckets is essential for detecting compromised API keys.
What to look for:
- API calls related to ListBuckets, GetObject, or PutObject for buckets where such activity would not normally occur.
- Large data downloads or uploads to and from S3 buckets, especially outside of normal business hours.
- Attempts to access buckets that store sensitive data such as backups or confidential files.
B. Attempts at data exfiltration
An attacker could attempt to move data out of your AWS environment. CloudTrail logs can help detect such exfiltration attempts, especially if the data transfer patterns are unusual.
What to look for:
- Large data transfers from services such as S3, RDS (Relational Database Service) or DynamoDB, especially to external or unknown IP addresses.
- API calls related to services such as AWS DataSync or S3 Transfer Acceleration that are not normally used in your environment.
- Attempts to create or modify data replication configurations, such as those that involve cross-region S3 replication.
4. Unexpected changes to the security group
Security groups control inbound and outbound traffic to AWS resources. An attacker could modify these settings to open additional attack vectors, such as enabling SSH access from external IP addresses.
What to look for:
- Changes to security group rules that allow inbound traffic from IP addresses outside your trusted network.
- API calls related to AuthorizeSecurityGroupIngress or RevokeSecurityGroupEgress that do not match normal operations.
- Creating new security groups with overly permissive rules, such as allowing all inbound traffic on common ports.
5. Steps to mitigate the risk of stolen API keys
A. Enforce the principle of least privilege
To minimize the damage an attacker can do with stolen API keys, enforce the principle of least privilege in your AWS account. Ensure that IAM users and roles have only the permissions needed to perform their jobs.
B. Implementation of multi-factor authentication (MFA)
Require MFA for all IAM users, especially those with administrative privileges. This adds an additional layer of security and makes it harder for attackers to gain access, even if they have stolen API keys.
C. Regularly rotate and check access keys
Rotate access keys regularly and make sure they are bound to IAM users who actually need them. Also, audit the use of access keys to make sure they are not being misused or used from unexpected locations.
D. Enable and monitor CloudTrail and GuardDuty
Make sure CloudTrail is enabled in all regions and that logs are centralized for analysis. Additionally, AWS GuardDuty can provide real-time monitoring for malicious activity, providing another layer of protection against compromised credentials. Consider using AWS Detective to get more information in addition to findings.
E. Use AWS Config for compliance monitoring
AWS Config helps you monitor compliance with security best practices, including proper use of IAM policies and security groups. This tool can help you identify misconfigurations that could make your account vulnerable to attacks.
Diploma
The security of your AWS environment depends on vigilant monitoring and rapid detection of anomalies in CloudTrail logs. By understanding the typical patterns of legitimate usage and paying attention to deviations from those patterns, security professionals can detect and respond to potential compromises, such as those involving stolen API keys, before they cause significant damage. As cloud environments continue to evolve, a proactive attitude toward security is essential to protect sensitive data and ensure the integrity of your AWS infrastructure. If you’d like to learn more about what to look for in AWS, Microsoft, and Google clouds to spot signs of intrusion, consider my FOR509 course, part of the SANS Cyber Defense Initiative 2024. For more information, visit for509.com.
