As cloud infrastructure becomes the backbone of today’s businesses, securing these environments is of paramount importance. With AWS (Amazon Web Services) still the dominant cloud, it’s important for any security professional to know where to look for signs of a breach. AWS CloudTrail stands out as a critical tool for tracking and logging API activity, providing a complete record of activities performed in an AWS account. Think of AWS CloudTrail as an audit or event log for all API calls made in your AWS account. For security professionals, monitoring these logs is critical, especially when it comes to detecting potential unauthorized access, such as through stolen API keys. These techniques and many more that I’ve learned during the incidents I’ve worked on at AWS and that we’ve built into WITHOUT FOR509Enterprise Cloud Forensics.
1. Unusual API calls and access patterns
A. A sudden spike in API requests
One of the first signs of a potential security breach is an unexpected increase in the number of API requests. CloudTrail logs every API call made in your AWS account, including who made the call, when it was made, and from where. An attacker with stolen API keys can initiate a large number of requests in a short period of time, either searching for account information or attempting to use specific services.
What to look for:
- A sudden, uncharacteristic spike in API activity.
- API calls from unusual IP addresses, especially from regions where legitimate users do not work.
- Attempts to access a wide range of services, especially if they are not commonly used by your organization.
Note that Guard Duty (if enabled) automatically flags such events, but you have to watch to find them.
B. Unauthorized use of the Root account
AWS strongly recommends that you avoid using the root account for day-to-day operations due to the high level of privileges. Any access to the root account, especially when using the associated API keys, is a serious red flag.
What to look for:
- API calls made with root account credentials, especially when the root account is not normally used.
- Changes to account-level settings, such as changing payment information or account configuration.
2. Abnormal IAM activity
A. Suspicious generation of access keys
Attackers can generate new access keys to establish permanent access to the compromised account. Monitoring CloudTrail logs for the creation of new access keys is very important, especially if these keys are created for accounts that do not normally require them.
What to look for:
- Creating new access keys for IAM users, especially those who didn’t need them before.
- Immediate use of newly generated access keys, which may indicate that an attacker is testing or using these keys.
- API calls related to `CreateAccessKey`, `ListAccessKeys` and `UpdateAccessKey`.
C. Patterns of role assumption
AWS allows users to assume roles by giving them temporary credentials for specific tasks. Monitoring for unusual role assumption patterns is vital, as an attacker can assume roles that change in the environment.
What to look for:
- Unusual or frequent calls to the `AssumeRole` API, especially for roles with elevated privileges.
- Role assumptions from IP addresses or regions not normally associated with your legitimate users.
- Assumptions about the roles that follow the actions are incompatible with normal business operations.
3. Abnormal data access and movement
A. Unusual access to bucket S3
Amazon S3 is often a target for attackers, given that it can store huge amounts of potentially sensitive data. Monitoring CloudTrail for unusual access to S3 buckets is critical to detecting compromised API keys.
What to look for:
- API calls related to `ListBuckets`, `GetObject`, or `PutObject` for buckets that normally do not see such activity.
- Large-scale downloads or uploads of data to and from S3 containers, especially if they occur outside of normal business hours.
- Attempts to access buckets that store sensitive data, such as backups or sensitive files.
B. Attempts to steal data
An attacker could try to move data out of your AWS environment. CloudTrail logs can help detect such hijacking attempts, especially if the data transfer patterns are unusual.
What to look for:
- Large data transfers from services such as S3, RDS (Relational Database Service) or DynamoDB, especially to external or unknown IP addresses.
- API calls related to services such as AWS DataSync or S3 Transfer Acceleration that are not typically used in your environment.
- Attempts to create or modify data replication configurations, such as those involving S3 cross-region replication.
4. Unexpected security group modifications
Security groups control inbound and outbound traffic to AWS resources. An attacker can change these settings to open up additional attack vectors, such as allowing SSH access from external IP addresses.
What to look for:
- Changes to security group rules that allow inbound traffic from IP addresses outside of your trusted network.
- API calls related to `AuthorizeSecurityGroupIngress` or `RevokeSecurityGroupEgress` that do not correspond to normal operations.
- Creating new security groups with overly permissive rules, such as allowing all incoming traffic to shared ports.
5. Steps to reduce the risk of API key theft
A. Application of the Principle of Least Privilege
To minimize the damage an attacker can do with stolen API keys, apply the principle of least privilege in your AWS account. Ensure that IAM users and roles have only the permissions necessary to perform their tasks.
B. Implement Multi-Factor Authentication (MFA)
Require MFA for all IAM users, especially those with administrative rights. This adds an extra layer of security by making it difficult for attackers to gain access, even if they have stolen the API keys.
C. Change and verify access keys regularly
Change your access keys regularly and make sure they are tied to the IAM users who really need them. Also, check the use of access keys to make sure they are not being misused or used from unexpected places.
D. Enable and monitor CloudTrail and GuardDuty
Ensure that CloudTrail is enabled in all regions and that logs are centralized for analysis. In addition, AWS GuardDuty can provide real-time monitoring of malicious activity, offering another layer of protection against compromised credentials. Consider AWS Detective for some inference-based intelligence.
E. Use AWS Config to monitor compliance
AWS Config can be used to monitor compliance with security best practices, including the appropriate use of IAM policies and security groups. This tool can help detect misconfigurations that could leave your account vulnerable to attack.
Conclusion
The security of your AWS environment depends on close monitoring and quick detection of anomalies in CloudTrail logs. By understanding typical patterns of legitimate use and being alert to deviations from those patterns, security professionals can detect and respond to potential breaches, such as those involving stolen API keys, before they cause significant damage. As the cloud environment continues to evolve, maintaining a proactive security posture is critical to protecting sensitive data and ensuring the integrity of your AWS infrastructure. If you want to learn more about what to look for in AWS for signs of intrusion, as well as the Microsoft and Google clouds, you can consider my class ЗА509 works at SANS 2024 Cyber Defense Initiative. Visit for509.com to learn more.
