AWS EC2 Admin Credential Fetch via Assumed Role
editAWS EC2 Admin Credential Fetch via Assumed Role
editIdentifies the first occurrence of a user identity in AWS using GetPassword
for the administrator password of an EC2 instance with an assumed role. Adversaries may use this API call to escalate privileges or move laterally within EC2 instances.
Rule type: new_terms
Rule indices:
- filebeat-*
- logs-aws.cloudtrail*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Cloud
- Data Source: AWS
- Data Source: Amazon Web Services
- Data Source: Amazon EC2
- Use Case: Identity and Access Audit
- Resources: Investigation Guide
- Tactic: Credential Access
Version: 3
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
editTriage and Analysis
Investigating AWS EC2 Admin Credential Fetch via Assumed Role
This rule detects the first occurrence of a user identity using the GetPasswordData
API call in AWS, which retrieves the administrator password of an EC2 instance. This can be an indicator of an adversary attempting to escalate privileges or move laterally within EC2 instances.
This is a New Terms rule, which means it will only trigger once for each unique value of the aws.cloudtrail.user_identity.session_context.session_issuer.arn
field that has not been seen making this API request within the last 7 days. This field contains the Amazon Resource Name (ARN) of the assumed role that triggered the API call.
Possible Investigation Steps
-
Identify the User Identity and Role: Examine the AWS CloudTrail logs to determine the user identity that made the
GetPasswordData
request. Pay special attention to the role and permissions associated with the user. -
Review Request and Response Parameters: Analyze the
aws.cloudtrail.request_parameters
andaws.cloudtrail.response_elements
fields to understand the context of the API call and the retrieved password. - Contextualize with User Behavior: Compare this activity against the user’s typical behavior patterns. Look for unusual login times, IP addresses, or other anomalous actions taken by the user or role prior to and following the incident.
- Review EC2 Instance Details: Check the details of the EC2 instance from which the password was retrieved. Assess the criticality and sensitivity of the applications running on this instance.
- Examine Related CloudTrail Events: Search for other API calls made by the same user identity, especially those modifying security groups, network access controls, or instance metadata.
- Check for Lateral Movement: Look for evidence that the obtained credentials have been used to access other resources or services within AWS.
- Investigate the Origin of the API Call: Analyze the IP address and geographical location from which the request originated. Determine if it aligns with expected locations for legitimate administrative activity.
False Positive Analysis
- Legitimate Administrative Actions: Ensure that the activity was not part of legitimate administrative tasks such as system maintenance or updates.
-
Automation Scripts: Verify if the activity was generated by automation or deployment scripts that are authorized to use
GetPasswordData
for legitimate purposes.
Response and Remediation
- Immediate Isolation: If suspicious, isolate the affected instance to prevent any potential lateral movement or further unauthorized actions.
- Credential Rotation: Rotate credentials of the affected instance or assumed role and any other potentially compromised credentials.
- User Account Review: Review the permissions of the implicated user identity. Apply the principle of least privilege by adjusting permissions to prevent misuse.
- Enhanced Monitoring: Increase monitoring on the user identity that triggered the rule and similar EC2 instances.
- Incident Response: If malicious intent is confirmed, initiate the incident response protocol. This includes further investigation, containment of the threat, eradication of any threat actor presence, and recovery of affected systems.
-
Preventative Measures: Implement or enhance security measures such as multi-factor authentication and continuous audits of sensitive operations like
GetPasswordData
.
Additional Information
Refer to resources like AWS privilege escalation methods and the MITRE ATT&CK technique T1552.005 - Cloud Instance Metadata API for more details on potential vulnerabilities and mitigation strategies.
Rule query
editevent.dataset:"aws.cloudtrail" and event.provider:"ec2.amazonaws.com" and event.action:"GetPasswordData" and aws.cloudtrail.user_identity.type:"AssumedRole" and aws.cloudtrail.error_code:"Client.UnauthorizedOperation"
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
-
Technique:
- Name: Unsecured Credentials
- ID: T1552
- Reference URL: https://attack.mitre.org/techniques/T1552/
-
Sub-technique:
- Name: Cloud Instance Metadata API
- ID: T1552.005
- Reference URL: https://attack.mitre.org/techniques/T1552/005/