LoFP / users may legitimately access aws systems manager (ssm) parameters using the getparameter, getparameters, or describeparameters api actions with credentials in the request parameters. ensure that the user has a legitimate reason to access the parameters and that the credentials are secured.

Techniques

• T1555

Sample rules

AWS Systems Manager SecureString Parameter Request with Decryption Flag

• source: elastic
• technicques:
  • T1555

Description

Detects the first occurrence of a user identity accessing AWS Systems Manager (SSM) SecureString parameters using the GetParameter or GetParameters API actions with credentials in the request parameters. This could indicate that the user is accessing sensitive information. This rule detects when a user accesses a SecureString parameter with the withDecryption parameter set to true. This is a NewTerms rule that detects the first occurrence of a specific AWS ARN accessing SecureString parameters with decryption within the last 10 days.

Detection logic

event.dataset: aws.cloudtrail
    and event.provider: "ssm.amazonaws.com"
    and event.action: (GetParameters or GetParameter)
    and event.outcome: success
    and aws.cloudtrail.flattened.request_parameters.withDecryption: true
    and not source.address: (
        "cloudformation.amazonaws.com" or
        "servicecatalog.amazonaws.com"
    )