AWS Detection Engineering

Sekoia.io outlines AWS detection engineering best practices, emphasizing CloudTrail as the core log source and recommending complementary use of Flow Logs and GuardDuty for enhanced visibility. The article lists specific CloudTrail events to monitor for Initial Access, Persistence, Defense Evasion, Discovery, Exfiltration, and Impact. #AWS #CloudTrail

Keypoints

Three primary AWS log sources for detection: CloudTrail (mandatory), Flow Logs (network telemetry), and GuardDuty (specialized AWS detections).
GuardDuty alerts are ingested as-is for straightforward detection; Flow Logs are matched via CTI rather than bespoke rules due to volume and variability.
CloudTrail provides the main actionable events; many events are noisy and require filtering/whitelisting to avoid performance issues and false positives.
Important CloudTrail events to monitor by TTP include AttachUserPolicy (with AWSCompromisedKeyQuarantineV2), CreateKeyPair/SendSSHPublicKey, identity provider creation/update/deletion, and logging/GuardDuty deletion or modification events.
Discovery activity can be detected by correlating multiple Describe* API calls (e.g., DescribeInstances, DescribeSecurityGroups) within a short time window, though environment-specific tuning is required.
Exfiltration and impact indicators include EC2-specific actions like CreateInstanceExportTask and RunInstances with user-data (commonly abused to deploy cryptominers), but CloudTrail may redact sensitive userData.

MITRE Techniques

[T1078] Valid Accounts – Compromised AWS access keys leading to initial access; article notes “‘AWSCompromisedKeyQuarantineV2’ … AWS detected that your access key was compromised.”
[T1098] Account Manipulation – Creation of SSH key pairs and SSH public key uploads for persistent access; referenced events include “‘CreateKeyPair’, ‘SendSSHPublicKey’, ‘SendSerialConsoleSSHPublicKey’.”
[T1556] Modify Authentication Process – Creation or modification of identity providers (SAML/OpenID) to establish persistence or federated access; quoted events: “‘CreateOpenIDConnectProvider’, ‘CreateSAMLProvider’, ‘UpdateSAMLProvider’, ‘DeleteSAMLProvider’.”
[T1562] Impair Defenses – Disabling or altering logging/detection services to evade detection; relevant events include “‘DeleteFlowLogs’, ‘DeleteTrail’, ‘StopLogging’, ‘UpdateTrail’, ‘DeleteDetector’, ‘UpdateDetector’, ‘CreateIPSet’.”
[T1526] Cloud Service Discovery – Use of multiple Describe* API calls to enumerate resources and settings; article lists “‘DescribeInstances’, ‘DescribeSecurityGroups’, ‘DescribeKeyPairs’, ‘DescribeRegions’, ‘DescribeImages’, ‘DescribeSnapshots’.”
[T1537] Transfer Data to Cloud Account – Exporting EC2 instances as a means to extract data from an environment; the event noted is “‘CreateInstanceExportTask’.”
[T1496] Resource Hijacking – Launching EC2 instances with malicious user-data scripts (e.g., crypto miners); detected by monitoring “‘RunInstances’ with userData parameter present.”

Indicators of Compromise

[CloudTrail event names] API/event indicators to monitor – CreateKeyPair, RunInstances, CreateInstanceExportTask, and other CloudTrail events (and many more Describe*/Modify* events).
[GuardDuty finding/parameter] compromised-key marker – AWSCompromisedKeyQuarantineV2 (flag indicating detected leaked access key).
[Flow Logs (network telemetry)] suspicious external connections – malicious IPs/domains observed in netflow (example: matched CTI IPs, and other IPs reported by Flow Logs).
[CloudTrail request parameters] presence of sensitive fields – userData parameter in RunInstances (user-data is redacted in CloudTrail but its presence can be flagged).

To implement AWS-focused detection effectively, prioritize ingesting CloudTrail as the canonical API audit log, supplement it with GuardDuty alerts for high-fidelity detections, and use Flow Logs for network intelligence tied to CTI matches rather than trying to craft universal netflow rules. For GuardDuty, create alerts directly from its findings; for Flow Logs, rely on CTI-driven matches against parsed flow fields to reduce noise and performance impacts.

When building CloudTrail-based detections, focus on low-noise, high-signal events and correlate related calls to reduce false positives. Key event categories to monitor: AttachUserPolicy (watch for AWSCompromisedKeyQuarantineV2), keypair and SSH public key creation (CreateKeyPair, SendSSHPublicKey), identity provider changes (CreateOpenIDConnectProvider, CreateSAMLProvider, UpdateSAMLProvider, DeleteSAMLProvider), logging/monitoring modifications (DeleteTrail, StopLogging, DeleteFlowLogs, DeleteDetector, UpdateDetector), Describe* enumeration patterns for discovery, CreateInstanceExportTask for potential exfiltration, and RunInstances with user-data usage for runtime payload deployment (e.g., cryptomining).

Tune detections per environment by whitelisting known administrative principals and adjusting correlation thresholds (for example, multiple Describe* calls within 30 minutes) to balance sensitivity and alert volume. Combine event-name monitoring with inspection of request/response parameters where available, and integrate CTI so Flow Logs and GuardDuty findings enhance CloudTrail detections without overwhelming analysts.