Detections
- Home
- - Detections
- -DT064
- ID: DT064
- Created: 22nd July 2024
- Updated: 25th July 2024
- Contributor: The ITM Team
AWS CloudTrail, Resource Deletion
CloudTrail logs by themselves, or in conjunction with CloudWatch, can be used to identify resource deletion events. These logs contain the account that performed the action (within the userIdentity field), a timestamp (within the eventTime field), and more detailed information depending on what resource was deleted. Some eventName examples include; DeleteBucket
(For S3 bucket deletion), DeleteDBInstance
(For RDS deletion), and TerminateInstances
(For EC2 termination).
Sections
ID | Name | Description |
---|---|---|
IF014.005 | Deletion of Cloud Resources | A subject deletes cloud resources, resulting in harm to the organization's operations. |
AF018.002 | Environment Tripwires | The subject develops a custom API that monitors specific activities, network traffic, and system changes within the target environment. The API could monitor HTTP/HTTPS requests directed at sensitive endpoints, track modifications to security group settings (such as firewalls or access policies), and identify administrative actions like changes to user accounts, data access requests, or logging configurations.
This tripwire API is embedded within various parts of the environment:
Once deployed, the tripwire API continuously monitors network traffic, API calls, and system changes for indicators of an investigation. It looks for:
The API can use whitelists for expected IP addresses or user accounts, triggering alerts if unexpected access occurs.
Upon detecting activity, the API tripwire can take immediate evasive actions:
|