Article Details

Detecting AWS Account Compromise: Key Indicators in CloudTrail Logs for Stolen API Keys. As cloud infrastructure becomes the backbone of modern enterprises, ensuring the security of these environments is paramount. With AWS (Amazon Web Services) still being the dominant cloud it is important for any security professional to know where to look for signs of compromise. AWS CloudTrail stands out as an essential tool for tracking and logging API activity, providing a comprehensive record of actions taken within an AWS account. Think of AWS CloudTrail like an audit or event log for all of the API calls made in your AWS account. For security professionals, monitoring these logs is critical, particularly when it comes to detecting potential unauthorized access, such as through stolen API keys. These techniques and many others I've learned through the incidents I've worked in AWS and that we built into SANS FOR509, Enterprise Cloud Forensics. 1. Unusual API Calls and Access Patterns A. Sudden Spike in API Requests One of the first signs of a potential security breach is an unexpected increase in API requests. CloudTrail logs every API call made within your AWS account, including who made the call, when it was made, and from where. An attacker with stolen API keys might initiate a large number of requests in a short time frame, either probing the account for information or attempting to exploit certain services. What to Look For: Note that Guard Duty (if enabled) will automatically flag these kinds of events, but you have to be watching to find them. B. Unauthorized Use of Root Account AWS strongly recommends avoiding the use of the root account for day-to-day operations due to its high level of privileges. Any access to the root account, especially if API keys associated with it are being used, is a significant red flag. What to Look For: 2. Anomalous IAM Activity A. Suspicious Creation of Access Keys Attackers may create new access keys to establish persistent access to the compromised account. Monitoring CloudTrail logs for the creation of new access keys is crucial, especially if these keys are created for accounts that typically do not require them. What to Look For: C. Role Assumption Patterns AWS allows users to assume roles, granting them temporary credentials for specific tasks. Monitoring for unusual role assumption patterns is vital, as an attacker might assume roles to pivot within the environment. What to Look For: 3. Anomalous Data Access and Movement A. Unusual S3 Bucket Access Amazon S3 is often a target for attackers, given that it can store vast amounts of potentially sensitive data. Monitoring CloudTrail for unusual access to S3 buckets is essential in detecting compromised API keys. What to Look For: B. Data Exfiltration Attempts An attacker may attempt to move data out of your AWS environment. CloudTrail logs can help detect such exfiltration attempts, especially if the data transfer patterns are unusual. What to Look For: 4. Unexpected Security Group Modifications Security groups control inbound and outbound traffic to AWS resources. An attacker might modify these settings to open up additional attack vectors, such as enabling SSH access from external IP addresses. What to Look For: 5. Steps for Mitigating the Risk of Stolen API Keys A. Enforce the Principle of Least Privilege To minimize the damage an attacker can do with stolen API keys, enforce the principle of least privilege across your AWS account. Ensure that IAM users and roles only have the permissions necessary to perform their tasks. B. Implement Multi-Factor Authentication (MFA) Require MFA for all IAM users, particularly those with administrative privileges. This adds an additional layer of security, making it more difficult for attackers to gain access, even if they have stolen API keys. C. Regularly Rotate and Audit Access Keys Regularly rotate access keys and ensure that they are tied to IAM users who actually need them. Additionally, audit the use of access keys to ensure they are not being abused or used from unexpected locations. D. Enable and Monitor CloudTrail and GuardDuty Ensure that CloudTrail is enabled in all regions and that logs are centralized for analysis. Additionally, AWS GuardDuty can provide real-time monitoring for malicious activity, offering another layer of protection against compromised credentials. Consider AWS Detective to have some intelligence built on top of the findings. E. Use AWS Config for Compliance Monitoring AWS Config can be used to monitor compliance with security best practices, including the proper use of IAM policies and security groups. This tool can help identify misconfigurations that might leave your account vulnerable to attack. Conclusion The security of your AWS environment hinges on vigilant monitoring and quick detection of anomalies within CloudTrail logs. By understanding the typical patterns of legitimate usage and being alert to deviations from these patterns, security professionals can detect and respond to potential compromises, such as those involving stolen API keys, before they cause significant damage. As cloud environments continue to evolve, maintaining a proactive stance on security is essential to protecting sensitive data and ensuring the integrity of your AWS infrastructure. If you want to learn more about what to look for in AWS for signs of intrusion, along with Microsoft and Google clouds you might consider my class FOR509 running at SANS Cyber Defense Initiative 2024. Visit for509.com to learn more.