verify whether the user identity should be using the `createstack` or `createstackset` apis. if known behavior is causing false positives, it can be exempted from the rule. the \"history_window_start\" value can be modified to reflect the expected frequency of known activity within a particular environment.

aws
elastic

Techniques

Sample rules

First Time AWS Cloudformation Stack Creation by User

source: elastic
technicques:

Description

This rule detects the first time a principal calls AWS Cloudwatch CreateStack or CreateStackSet API. Cloudformation is used to create a single collection of cloud resources called a stack, via a defined template file. An attacker with the appropriate privileges could leverage Cloudformation to create specific resources needed to further exploit the environment. This is a new terms rule that looks for the first instance of this behavior in the last 10 days for a role or IAM user within a particular account.

Detection logic

event.dataset:aws.cloudtrail and event.provider:cloudformation.amazonaws.com and
    event.action: (CreateStack or CreateStackSet) and event.outcome:success