First Time AWS Cloudformation Stack Creation by User

edit

First Time AWS Cloudformation Stack Creation by User

edit

This rule detects the first time a principal calls AWS Cloudwatch CreateStack or CreateStackSet API. Cloudformation is used to create a single collection of cloud resources called a stack, via a defined template file. An attacker with the appropriate privileges could leverage Cloudformation to create specific resources needed to further exploit the environment. This is a new terms rule that looks for the first instance of this behavior in the last 10 days for a role or IAM user within a particular account.

Rule type: new_terms

Rule indices:

  • filebeat-*
  • logs-aws.cloudtrail-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Cloud
  • Data Source: AWS
  • Data Source: Amazon Web Services
  • Data Source: Cloudformation
  • Use Case: Asset Visibility
  • Tactic: Execution

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
event.dataset:aws.cloudtrail and event.provider:cloudformation.amazonaws.com and
    event.action: (CreateStack or CreateStackSet) and event.outcome:success

Framework: MITRE ATT&CKTM