First Time AWS Cloudformation Stack Creation by User
editFirst Time AWS Cloudformation Stack Creation by User
editThis rule detects the first time a principal calls AWS Cloudwatch CreateStack
or CreateStackSet
API. Cloudformation is used to create a single collection of cloud resources called a stack, via a defined template file. An attacker with the appropriate privileges could leverage Cloudformation to create specific resources needed to further exploit the environment. This is a new terms rule that looks for the first instance of this behavior in the last 10 days for a role or IAM user within a particular account.
Rule type: new_terms
Rule indices:
- filebeat-*
- logs-aws.cloudtrail-*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-6m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
- https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-cli-creating-stack.html/
- https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-concepts.html/
- https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_CreateStack.html/
- https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_CreateStackSet.html/
Tags:
- Domain: Cloud
- Data Source: AWS
- Data Source: Amazon Web Services
- Data Source: Cloudformation
- Use Case: Asset Visibility
- Tactic: Execution
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editevent.dataset:aws.cloudtrail and event.provider:cloudformation.amazonaws.com and event.action: (CreateStack or CreateStackSet) and event.outcome:success
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/