Detections
- Home
- - Detections
- -DT115
- ID: DT115
- Created: 29th April 2025
- Updated: 29th April 2025
- Platform: Amazon Web Services (AWS)
- Contributor: The ITM Team
AWS Unauthorized System or Service Modification
Monitor AWS CloudTrail logs to detect unauthorized creation, modification, or deletion of compute, storage, network, or management resources. Unauthorized resource activity may indicate insider preparation for data exfiltration, illicit compute use, or unauthorized persistent access.
Where to Configure/Access
- AWS CloudTrail Console: https://console.aws.amazon.com/cloudtrail/
- AWS CloudWatch Logs Console (for log streaming and alerting): https://console.aws.amazon.com/cloudwatch/home#logsV2:log-groups
Detection Methods
Monitor CloudTrail API event types such as:
RunInstances
(EC2 instance creation)CreateVolume
(EBS volumes)CreateBucket
(S3 buckets)CreateFunction
/UpdateFunctionCode
(Lambda functions)CreateCluster
(ECS/EKS clusters)
Configure event selectors to capture management events across all regions.
Set metric filters and alarms for suspicious activity through CloudWatch.
Indicators
- Unapproved resources provisioned without matching Infrastructure as Code deployments.
- Resources created manually via console or CLI outside approved automation frameworks.
- Resources missing mandatory organizational tags (e.g., project ID, owner).
Sections
ID | Name | Description |
---|---|---|
IF009.006 | Installing Crypto Mining Software | The subject installs and operates unauthorized cryptocurrency mining software on organizational systems, leveraging compute, network, and energy resources for personal financial gain. This activity subverts authorized system use policies, degrades operational performance, increases attack surface, and introduces external control risks.
Characteristics
Example ScenarioA subject installs a customized |