Defending
Detecting AWS Account ID Enumeration Requests
Setup a CloudTrail alert where type = AWSAccount and eventName = HeadBucket
Look for a large number of errorCode = AccessDenied
Detecting aws-enumerator behavior
Detect aws-enumerator type enumeration
SELECT *
FROM aws-enumerator
WHERE errorCode = 'AccessDenied'
AND userAgent LIKE '%aws-sdk-go%';
Identify successful enumeration requests Note: STS GetCallerIdentity and DynamoDB DescribeEndpoints are false positives
SELECT *
FROM aws_enumerator
WHERE useridentify.username = 'userName'
AND (errorcode IS NULL OR errorcode = '');
Detecting AWS Password Spraying
SELECT *
FROM cloudtrail_logs_aws_cloudtrail_logs....
WHERE eventname = 'ConsoleLogin'
AND responseelements LIKE '%Success%'
Base it on
- Requests coming from IPs outside of company's network
- Large number of login requests
- Many failed requests
- Login requests at unusual times or impossible travel
- Many requests using the same IP address or user agent (easily modifiable by an attacker)
Stop Leaking Secrets
Notes:
- The default password policy is weak
- There is a lack of MFA auto-enforcement
- Never use the bucket for multiple purposes (static website + sensitive files)