LoFP / changes to security groups to allow for new services to be deployed

Techniques

• t1190

Sample rules

LoadBalancer Security Group Modification

• source: sigma
• technicques:
  • t1190

Description

Detects changes to the security groups associated with an Elastic Load Balancer (ELB) or Application Load Balancer (ALB). This can indicate that a misconfiguration allowing more traffic into the system than required, or could indicate that an attacker is attempting to enable new connections into a VPC or subnet controlled by the account.

Detection logic

condition: selection
selection:
  eventName:
  - ApplySecurityGroupsToLoadBalancer
  - SetSecurityGroups
  eventSource: elasticloadbalancing.amazonaws.com