AWS Security Monitoring, that was introduced some checkpoint on some web sites.
But i hava not seen so much “how check”, i will introduce example on use Cloudwatch Logs Insight and CloudTrail to check IAM rule.
Narrow down IAM event
First step, narrow down only IAM event.
sample query
fields eventSource, @timestamp
| filter eventSource = "iam.amazonaws.com"
<a href="https://dtiemu0c7gxsz.cloudfront.net/image/AWS-Security-Monitoring-IAM/eventSource.png” data-rel="lightbox-gallery-0QZwyEn5” data-rl_title=”” data-rl_caption=”” title="“>
Create New User
example case, if you were stolen aws credential, attacker may create new user in use that credential.
I shown below sample query to search CreateUser
event.
This query is you can know when created new user, where from to accessed, how accessed, who created, what the created new user name, whether it is enabled MFA.
This sample result is example
user create test
user and MFA is unenabled.
filter eventSource = "iam.amazonaws.com" and eventName = "CreateUser"
| fields eventSource, eventName, responseElements.user.createDate as createDate,
sourceIPAddress, userAgent, userIdentity.userName as requestUser,
requestParameters.userName as createdUser,
userIdentity.sessionContext.attributes.mfaAuthenticated as mfaAuthenticated
<a href="https://dtiemu0c7gxsz.cloudfront.net/image/AWS-Security-Monitoring-IAM/createuser.jpg” data-rel="lightbox-gallery-0QZwyEn5” data-rl_title=”” data-rl_caption=”” title="“>
DeleteUser
If some user was deleted.
you can find this event.
filter eventSource = "iam.amazonaws.com" and eventName = "DeleteUser"
| fields eventSource, eventName, eventTime, sourceIPAddress, userAgent,
requestParameters.userName as DeletedUser, userIdentity.userName as requestUser,
userIdentity.sessionContext.attributes.mfaAuthenticated as mfaAuthenticated
<a href="https://dtiemu0c7gxsz.cloudfront.net/image/AWS-Security-Monitoring-IAM/DeleteUser.jpg” data-rel="lightbox-gallery-0QZwyEn5” data-rl_title=”” data-rl_caption=”” title="“>
AddUserToGroup
AddUserToGroup, this event is some user added some group.
This events in the same say monitoring, check to the have not undesirable permission for user and who requested, where from to accessed, added user, what added group.
sample query
filter eventSource = "iam.amazonaws.com" and eventName = "AddUserToGroup"
| fields eventSource, eventName, eventTime, sourceIPAddress, userAgent,
userIdentity.userName as requestUser, requestParameters.userName as addedUser,
requestParameters.groupName as groupName,
userIdentity.sessionContext.attributes.mfaAuthenticated as mfaAuthenticated
<a href="https://dtiemu0c7gxsz.cloudfront.net/image/AWS-Security-Monitoring-IAM/addUsertoGroup.jpg” data-rel="lightbox-gallery-0QZwyEn5” data-rl_title=”” data-rl_caption=”” title="“>
RemoveUserFromGroup
This event and AddUserToGroup event different is add user to some group or remove from some group.
Replace it with the opposite meaning.
filter eventSource = "iam.amazonaws.com" and eventName = "RemoveUserFromGroup"
| fields eventSource, eventName, eventTime, sourceIPAddress, userAgent,
requestParameters.groupName as removedGroup, requestParameters.userName as user,
userIdentity.userName as requestUser
<a href="https://dtiemu0c7gxsz.cloudfront.net/image/AWS-Security-Monitoring-IAM/RemoveUserFromGroup.jpg " data-rel="lightbox-gallery-0QZwyEn5” data-rl_title=”” data-rl_caption=”” title="“>
PutUserPermissionsBoundary
PutUserPermissionsBoundary is user added new policy.
monitoring this event mean is same say AdduserToGroup, you check user whether should not have suspicious permission.
permissionsBoundary field is user added permission, this sample result is test user was added in Administrator policy.
filter eventSource = "iam.amazonaws.com" and eventName = "PutUserPermissionsBoundary"
| fields eventSource, eventName, eventTime, sourceIPAddress, userAgent,
requestParameters.permissionsBoundary as permissionsBoundary, requestParameters.userName as addedUser,
userIdentity.userName as requestUser
<a href="https://dtiemu0c7gxsz.cloudfront.net/image/AWS-Security-Monitoring-IAM/PutUserPermissionsBoundary.jpg” data-rel="lightbox-gallery-0QZwyEn5” data-rl_title=”” data-rl_caption=”” title="“>
DeleteUserPermissionsBoundary
DeleteUserPermissionsBoundary is delete permissons boundary from user.
filter eventSource = "iam.amazonaws.com" and eventName = "DeleteUserPermissionsBoundary"
| fields eventSource, eventName, eventTime, sourceIPAddress, userAgent,
requestParameters.userName as user, userIdentity.userName as requestUser
<a href="https://dtiemu0c7gxsz.cloudfront.net/image/AWS-Security-Monitoring-IAM/DeleteUserPermissionsBoundary.jpg” data-rel="lightbox-gallery-0QZwyEn5” data-rl_title=”” data-rl_caption=”” title="“>
PutUserPolicy
User have some permissions in inline policy.
If user added inline policy detected this event.
what can user action and where resource able that there were written in policy Documents.
filter eventSource = "iam.amazonaws.com" and eventName = "PutUserPolicy"
| fields eventSource, eventName, eventTime, sourceIPAddress, userAgent,
requestParameters.userName as user, requestParameters.policyName as policyName,
requestParameters.policyDocument as policyDocument, userIdentity.userName as requestUser
<a href="https://dtiemu0c7gxsz.cloudfront.net/image/AWS-Security-Monitoring-IAM/PutUserPolicy.jpg” data-rel="lightbox-gallery-0QZwyEn5” data-rl_title=”” data-rl_caption=”” title="“>
DetachUserPolicy
Detached policy from user.
that case query.
filter eventSource = "iam.amazonaws.com" and eventName = "DetachUserPolicy"
| fields eventSource, eventName, eventTime, sourceIPAddress, userAgent,
requestParameters.policyArn as DetachedPolicy, requestParameters.userName as DetahedUser,
userIdentity.userName as requestUser
<a href="https://dtiemu0c7gxsz.cloudfront.net/image/AWS-Security-Monitoring-IAM/DetachUserPolicy.jpg” data-rel="lightbox-gallery-0QZwyEn5” data-rl_title=”” data-rl_caption=”” title="“>
AssumeRole
AssuleRole is not exactly IAM, but it is convenient monitoring together IAM.
this result can know who switched to what role.
filter eventSource = "signin.amazonaws.com" and eventName = "SwitchRole"
| fields eventSource, eventName, eventTime, sourceIPAddress, userAgent,
responseElements.SwitchRole as result, additionalEventData.SwitchTo as SwitchTo, userIdentity.arn as SwitchFrom
<a href="https://dtiemu0c7gxsz.cloudfront.net/image/AWS-Security-Monitoring-IAM/SwitchRole.jpg” data-rel="lightbox-gallery-0QZwyEn5” data-rl_title=”” data-rl_caption=”” title="“>