LoFP LoFP / aws

aws rule

TitleTags
a database instance may be created by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. instances creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
a domain may be transferred to another aws account by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. domain transfers from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
a domain transfer lock may be disabled by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. activity from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
a elasticache security group deletion may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. security group deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
a elasticache security group may be created by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. security group creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
a group may be created by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. group creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
a kms customer managed key may be disabled or scheduled for deletion by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. key deletions by unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
a log stream may be deleted by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. log stream deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
a mfa device may be deactivated by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. mfa device deactivations from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
a private hosted zone may be asssociated with a vpc by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. if known behavior is causing false positives, it can be exempted from the rule.
a resource group may be deleted by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. resource group deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
a s3 configuration change may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. s3 configuration change from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
a security group may be created by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. security group creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
adding user keys to their own accounts (the filter cannot cover all possible variants of user naming)
adding users to a specified group may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. user additions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
administrators listing buckets, it may be necessary to filter out users who commonly conduct this activity.
an rds security group deletion may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. security group deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
an rds security group may be created by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. security group creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
assumerole from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
assumerole may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
authorized changes to the aws account's identity provider
automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives.
automated processes that use terraform may lead to false positives.
automated processes that uses terraform may lead to false positives.
aws administrator legitimately disabling bucket versioning
aws api keys legitimate exchange workflows
aws tasks that require aws account root user credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html
benign changes to a db instance
bucket components may be deleted by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. bucket component deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
clusters or instances may be deleted by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. cluster or instance deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
dev, uat, sat environment. you should apply this rule with prod account only.
dev, uat, sat environment. you should apply this rule with prod environment only.
disabling encryption may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. disabling encryption by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
eks cluster being created or deleted may be performed by a system administrator.
eks cluster created or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
eventbridge rules could be deleted or disabled by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. eventbridge rules being deleted or disabled by unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
exporting snapshots may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. snapshot exports from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
file system or mount being deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. file system mount deletion by unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
firewall acl's may be deleted by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. web acl deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
getsessiontoken may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. getsessiontoken from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
getsignintoken events will occur when using aws sso portal to login and will generate false positives if you do not filter for the expected user agent(s), see filter. non-sso configured roles would be abnormal and should be investigated.
glue development endpoint activity may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
iam users may occasionally share ec2 snapshots with another aws account belonging to the same organization. if known behavior is causing false positives, it can be exempted from the rule.
if known behavior is causing false positives, it can be exempted from the rule.
it's strongly recommended that the root user is not used for everyday tasks, including the administrative ones. verify whether the ip address, location, and/or hostname should be logging in as root in your environment. unfamiliar root logins should be investigated immediately. if known behavior is causing false positives, it can be exempted from the rule.
known or internal account ids or automation
lambda layer being attached from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
lambda layer being attached may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
legitimate user account administration
network acl's may be created by a network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. network acl creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
network acl's may be deleted by a network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. network acl deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
new or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently.
new or unusual user command activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; or changes in the way services are used.
privileged iam users with security responsibilities may be expected to make changes to the config service in order to align with local security policies and requirements. automation, orchestration, and security tools may also make changes to the config service, where they are used to automate setup or configuration of aws accounts. other kinds of user or service contexts do not commonly make changes to this service.
rare and unusual errors may indicate an impending service failure state. rare and unusual user error activity can also be due to manual troubleshooting or reconfiguration attempts by insufficiently privileged users, bugs in cloud automation scripts or workflows, or changes to iam privileges.
restoring snapshots may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. snapshot restoration by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
route table could be modified or deleted by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. route table being modified from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule. also automated processes that use terraform may lead to false positives.
route tables may be created by a system or network administrators. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. route table creation by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule. automated processes that use terraform may lead to false positives.
saml provider being updated from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
saml provider could be updated by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. saml provider updates by unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
some organizations allow login with the root user without mfa, however, this is not considered best practice by aws and increases the risk of compromised credentials.
spikes in error message activity can also be due to bugs in cloud automation scripts or workflows; changes to cloud automation scripts or workflows; adoption of new services; changes in the way services are used; or changes to iam privileges.
suspending the recording of a trail may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. trail suspensions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
system administrator activities
system or network administrator behaviors
task definition being modified to request credentials from the task metadata service for valid reasons
the guardduty detector may be deleted by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. detector deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
traffic mirroring may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. traffic mirroring from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
trail creations may be made by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. trail creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
trail deletions may be made by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. trail deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
trail updates may be made by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. trail updates from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
valid change in a trail
valid change in aws config service
valid change in the guardduty (e.g. to ignore internal scanners)
valid change to a snapshot's permissions
valid changes to the startup script
valid clusters may be created by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. cluster creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
valid clusters or instances may be stopped by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. cluster or instance stoppages from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
valid usage of s3 browser for iam loginprofile listing and/or creation
valid usage of s3 browser for iam user and/or accesskey creation
valid usage of s3 browser with accidental creation of default inline iam policy without changing default s3 bucket name placeholder value
verify whether the user identity, user agent, and/or hostname should be making changes in your environment. suspicious commands from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
verify whether the user identity, user agent, and/or hostname should be requesting changes in your environment. password reset attempts from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
verify whether the user identity, user agent, and/or hostname should be using getsecretstring api for the specified secretid. if known behavior is causing false positives, it can be exempted from the rule.
vm exports may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. vm exports from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
waf rules or rule groups may be deleted by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. rule deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.