Let’s look at an example of AWS threat detection in action with CloudTrail and the Sysdig CloudConnector. To do so we’ll create an S3 bucket, and make it public
Log into Cloud9 Workspace
S3 bucket names are globally unique, so use your initials in lower case combined with a timestamp
First set your initials as an environment variable
INITIALS=<your initials>
Now create the S3 bucket, ensuring the bucket name is in lowercase.
BUCKETNAME="${INITIALS,,}"-$(date +%s)
aws s3api create-bucket --bucket $BUCKETNAME --acl public-read
Now delete the S3 bucket’s encryption. This should be considered a potential security threat.
aws s3api delete-bucket-encryption --bucket $BUCKETNAME
To view details of this event, browse to CloudTrail then ‘Event History’
If you scroll down you’ll see details of the new CloudTrail event in JSON format:
Below is an example of a ‘DeleteBucketEncryption’ event raised after our previous command
It can take several minutes for new events to appear in CloudTrail. In the meantime you can browse the existing events created earlier from earlier activity in the account.
{
"eventVersion": "1.05",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAVAOQCKJMIBOSOS7IM:i-08b251cf94d4e6a80",
"arn": "arn:aws:sts::370614344560:assumed-role/Sysdig-Workshop-Admin/i-08d4e6ab251cf9480",
"accountId": "xxxxxxxxxxxxx",
"accessKeyId": "xxxxxxxxxxxx",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "ARQCKJMIBOSOS7OAVAOIM",
"arn": "arn:aws:iam::370614344560:role/Sysdig-Workshop-Admin",
"accountId": "xxxxxxxxxxxx",
"userName": "Sysdig-Workshop-Admin"
},
"webIdFederationData": {},
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2020-12-16T10:37:43Z"
},
"ec2RoleDelivery": "2.0"
}
},
"eventTime": "2020-12-16T11:02:06Z",
"eventSource": "s3.amazonaws.com",
"eventName": "DeleteBucketEncryption",
"awsRegion": "us-east-1",
"sourceIPAddress": "54.208.132.231",
"userAgent": "[aws-cli/1.18.197 Python/3.6.12 Linux/4.14.203-116.332.amzn1.x86_64 botocore/1.19.37]",
"requestParameters": {
"bucketName": "in-1608116489",
"Host": "in-1608116489.s3.amazonaws.com",
"encryption": ""
},
"responseElements": null,
"additionalEventData": {
"SignatureVersion": "SigV4",
"CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"bytesTransferredIn": 0,
"AuthenticationMethod": "AuthHeader",
"x-amz-id-2": "7oxWqk04DWgmjvSO3TgutyZPtcOYIfnJud2SGZEQOryG3LNgpSV9ZYCd4jLqatr9VaGMEefUVKg=",
"bytesTransferredOut": 0
},
"requestID": "E90DD548B6C5B224",
"eventID": "af6a54f9-c2ee-4e14-866a-48f9338bcc94",
"readOnly": false,
"resources": [
{
"accountId": "xxxxxxxxxxxx",
"type": "AWS::S3::Bucket",
"ARN": "arn:aws:s3:::in-1608116489"
}
],
"eventType": "AwsApiCall",
"recipientAccountId": "370614344560"
}
Please note that all data in the JSON doc above is fictitious and is used as an example.
All CloudTrail events have the following key fields:
If a request has an errorCode field, it means that it could not be processed because of an error. For example, the requester may not have had permission to perform a change.
In this case, we can see how a policy has just been attached (AttachUserPolicy) to a user (admin_test) with administrator access (arn:aws:iam::aws:policy/AdministratorAccess).
A Falco rule to detect this elevation of privileges would look like this:
- rule: Delete bucket encryption
desc: Detect deleting configuration to use encryption for bucket storage
condition: >
jevt.value[/eventName]="DeleteBucketEncryption" and not jevt.value[/errorCode] exists
output: >
A encryption configuration for a bucket has been deleted
(requesting user=%jevt.value[/userIdentity/arn],
requesting IP=%jevt.value[/sourceIPAddress],
AWS region=%jevt.value[/awsRegion],
bucket=%jevt.value[/requestParameters/bucketName])
priority: CRITICAL
tags: [cloud, source=cloudtrail, aws, NIST800_53, NIST800_53_AU8]
source: k8s_audit
Some points to note about this rule:
The jevt.value contains the JSON content of the event, and we are using it in the condition. Using the jsonpath format, we can indicate what parts of the event we want to evaluate.
The output will provide context information including the requester username and IP address - this is what will be sent through all of the enabled notification channels.
As you can see, this is a regular Falco rule. In fact, this particular rule is already included out-of-the-box in Sysdig CloudConnector. CloudTrail compatibility is achieved by handling its events as JSON objects, and referring to the event information using JSONPath.