Open menu
-->

Monitor Unintended AWS API Calls

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Very High (act immediately)

Cloud Conformity Real-Time Threat Monitoring and Analysis (RTMA) engine detected unintended AWS API calls made in your Amazon Web Services account.

This rule resolution is part of the Cloud Conformity Security Package


An unintended AWS API call is a request that contains an "Action" parameter that indicates an operation not planned or meant to be performed within your AWS account. Detecting unintended API calls in real time can help you with risk mitigation. For example, if an inexperienced user is granted (accidentally or intentionally) unintended IAM API access and the user begins making API calls, his actions can lead to severe security issues, data leaks, data loss and/or unexpected charges on your AWS bill. Once enabled, Cloud Conformity RTMA feature starts monitoring for unintended AWS API requests, in order to help you gain visibility into your AWS account API activity. Cloud Conformity RTMA utilizes the logging information collected by AWS CloudTrail to process and send notifications about the unintended AWS API calls made within your account. The following is an example of an AWS CloudTrail log entry used by Cloud Conformity RTMA engine to detect unintended API calls. The example shows how an IAM user named James has been using AWS CLI to perform an unintended API call (in this case a call to Amazon EC2 "StartInstances" action) by using the ec2-start-instances CLI command for an EC2 instance identified by the ID i-01234567abcabcabc:


{"Records": [{
    "eventVersion": "1.0",
    "userIdentity": {
        "type": "IAMUser",
        "principalId": "AABBCCDDAABBCCDDAABBC",
        "arn": "arn:aws:iam::123456789012:user/James",
        "accessKeyId": "AAAABBBBCCCCDDDDEEEE",
        "accountId": "123456789012",
        "userName": "James"
    },
    "eventTime": "2018-09-06T11:32:44Z",
    "eventSource": "ec2.amazonaws.com",
    "eventName": "StartInstances",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "192.0.0.0",
    "userAgent": "ec2-api-tools 1.6.0.2",
    "requestParameters": {"instancesSet": {"items": [{"instanceId": "i-01234567abcabcabc"}]}},
    "responseElements": {"instancesSet": {"items": [{
        "instanceId": "i-01234567abcabcabc",
        "currentState": {
            "code": 0,
            "name": "pending"
        },
        "previousState": {
            "code": 80,
            "name": "stopped"
        }
    }]}}
}]}


The activity detected by Cloud Conformity RTMA, based on AWS CloudTrail logging data, could be any AWS API request that triggers any of the predefined events defined within the conformity rule settings. Prior to running this rule by the Cloud Conformity engine, the unintended AWS service events must be configured in the rule settings, on your Cloud Conformity account dashboard. For example, your AWS production account has been locked down, therefore no change to IAM service is expected: Identity: IAM user, Service: IAM, Event: * (all). Or when AWS CloudTrail trails cannot be removed from your AWS account by the root user or any IAM users: Identity: * (all), Service: CloudTrail, Event: "DeleteTrail". Another example could be, as shown in the table below, when your AWS account is completely locked down for auditing and no user action is expected: Identity: * (all), Service: * (all), Events: "Create*" "Delete*""Update*" "Put*" "Stop*":

Identity Service Event
IAM user IAM *
* CloudTrail DeleteTrail
IAM user EC2 StartInstances
* * "Create*"
"Delete*"
"Update*"
"Put*"
"Stop*"

The communication channels required for sending RTMA notifications can be configured in your Cloud Conformity account settings. The list of supported communication channels that you can use to receive notification alerts for unintended API calls are Email, SMS, Slack, PagerDuty, Zendesk and ServiceNow.

Rationale

With Cloud Conformity RTMA monitoring you have complete visibility over your AWS account API activity. This can help you prevent any accidental or intentional user actions that may lead to unauthorized access or other related security breaches. Beyond prevention, you should be able to maintain your AWS environment secure by taking actions upon detection of any unusual API requests made at the AWS service or resource level. Besides granting your AWS users the minimum amount of privileges necessary to perform their assigned tasks by implementing the principle of least privilege, Cloud Conformity highly recommends using this RTMA rule to monitor 24/7 your AWS account for unintended API activity.

References

Publication date Sep 9, 2018