AWS Systems Manager SecureString Parameter Request with Decryption Flag
editAWS Systems Manager SecureString Parameter Request with Decryption Flag
editDetects the first occurrence of a user identity accessing AWS Systems Manager (SSM) SecureString parameters using the GetParameter or GetParameters API actions with credentials in the request parameters. This could indicate that the user is accessing sensitive information. This rule detects when a user accesses a SecureString parameter with the withDecryption parameter set to true. This is a [NewTerms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that detects the first occurrence of a specific AWS ARN accessing SecureString parameters with decryption within the last 10 days.
Rule type: new_terms
Rule indices:
- filebeat-*
- logs-aws.cloudtrail*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Cloud
- Data Source: AWS
- Data Source: Amazon Web Services
- Data Source: AWS Systems Manager
- Tactic: Credential Access
- Resources: Investigation Guide
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
editTriage and Analysis
Investigating AWS Systems Manager SecureString Parameter Request with Decryption Flag
This rule detects when an AWS resource accesses SecureString parameters within AWS Systems Manager (SSM) with the decryption flag set to true. SecureStrings are encrypted using a KMS key, and accessing these with decryption can indicate attempts to access sensitive data.
Adversaries may target SecureStrings to retrieve sensitive information such as encryption keys, passwords, and other credentials that are stored securely. Accessing these parameters with decryption enabled is particularly concerning because it implies the adversary is attempting to bypass the encryption to obtain plain text values that can be immediately used or exfiltrated. This behavior might be part of a larger attack strategy aimed at escalating privileges or moving laterally within an environment to access protected data or critical infrastructure.
Possible Investigation Steps
-
Review the Access Event: Identify the specific API call (
GetParameterorGetParameters) that triggered the rule. Examine therequest_parametersforwithDecryptionset to true and the name of the accessed parameter. -
Verify User Identity and Access Context: Check the
user_identitydetails to understand who accessed the parameter and their role within the organization. This includes checking the ARN and access key ID to determine if the access was authorized. - Contextualize with User Behavior: Assess whether the access pattern fits the user’s normal behavior or job responsibilities. Investigate any out-of-pattern activities around the time of the event.
-
Analyze Geographic and IP Context: Using the
source.ipandsource.geoinformation, verify if the request came from a trusted location or if there are any anomalies that suggest a compromised account. - Inspect Related CloudTrail Events: Look for other related events in CloudTrail to see if there was unusual activity before or after this event, such as unusual login attempts, changes to permissions, or other API calls that could indicate broader unauthorized actions.
False Positive Analysis
- Legitimate Administrative Use: Verify if the decryption of SecureString parameters is a common practice for the user’s role, particularly if used in automation scripts or deployment processes like those involving Terraform or similar tools.
Response and Remediation
- Immediate Verification: Contact the user or team responsible for the API call to verify their intent and authorization.
- Review and Revise Permissions: If the access was unauthorized, review the permissions assigned to the user or role to ensure they align with the principle of least privilege.
- Audit Parameter Access Policies: Ensure that policies governing access to SecureString parameters are strict and audit logs are enabled to track access with decryption.
- Incident Response: If suspicious activity is confirmed, follow through with your organization’s incident response plan to mitigate any potential security issues.
- Enhanced Monitoring and Alerting: Strengthen monitoring rules to detect unusual accesses to SecureString parameters, especially those that involve decryption.
Additional Information
This rule focuses solely on SecureStrings in AWS Systems Manager (SSM) parameters. SecureStrings are encrypted using an AWS Key Management Service (KMS) key. When a user accesses a SecureString parameter, they can specify whether the parameter should be decrypted. If the user specifies that the parameter should be decrypted, the decrypted value is returned in the response.
Setup
editThis rule requires that AWS CloudTrail logs are ingested into the Elastic Stack. Ensure that the AWS integration is properly configured to collect AWS CloudTrail logs. This rule also requires event logging for AWS Systems Manager (SSM) API actions which can be enabled in CloudTrail’s data events settings.
Rule query
editevent.dataset: aws.cloudtrail
and event.provider: "ssm.amazonaws.com"
and event.action: (GetParameters or GetParameter)
and event.outcome: success
and aws.cloudtrail.request_parameters: *withDecryption=true*
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
-
Technique:
- Name: Credentials from Password Stores
- ID: T1555
- Reference URL: https://attack.mitre.org/techniques/T1555/
-
Sub-technique:
- Name: Cloud Secrets Management Stores
- ID: T1555.006
- Reference URL: https://attack.mitre.org/techniques/T1555/006/