How exactly to detect suspicious action in your AWS accounts through the use of private decoy resources
As clients mature their security posture on Amazon Web Services (AWS) , they’re adopting multiple methods to detect suspicious behavior and notify response workflows or teams to do this. One example is making use of Amazon GuardDuty to keep track of AWS accounts and workloads for malicious exercise and deliver detailed protection findings for presence and remediation. Another tactic would be to deploy decoys, also known as honeypots , being an effective solution to detect suspicious behavior.
<pre> <code> <p>In this website post, we’ll show ways to create low-cost private decoy AWS assets in your AWS accounts and configure them to create alerts if they are accessed. These decoy sources appear reputable but don’t include any helpful or sensitive information and typically aren't accessed in the standard course of company by your customers and systems. Any try to access them is really a clear transmission of suspicious action that needs to be investigated. You may use data resources like <a href="https://aws.amazon.com/cloudtrail/" focus on="_blank" rel="noopener noreferrer">AWS CloudTrail</a>, solutions like <a href="https://aws.amazon.com/detective/" focus on="_blank" rel="noopener noreferrer">Amazon Detective</a>, as well as your own safety incident and event supervising (SIEM) systems to research the activity further. This post is targeted at experienced AWS security and users professionals.</p>
<h2>Detecting suspicious exercise</h2>
<p>Suppose an unauthorized user offers obtained credentials for the account. This may be an insider also, malicious or careless, utilizing their legitimate credentials inappropriately. The unauthorized user could use these credentials to invoke AWS API calls to list resources in your account. As the next thing, they might make an effort to access resources which are used to store sensitive data-such as items in < commonly;a href=”http://aws.amazon.com/s3″ target=”_blank” rel=”noopener noreferrer”>Amazon Basic Storage Assistance (Amazon S3)</the> buckets, strategies in <a href=”https://aws.amazon.com/secrets-supervisor/” target=”_blank” rel=”noopener noreferrer”>AWS Strategies Manager</the>, or products in <a href=”http://aws.amazon.com/dynamodb” focus on=”_blank” rel=”noopener noreferrer”>Amazon DynamoDB</a>. They could make an effort to elevate their privileges by assuming other < also;a href=”http://aws.amazon.com/iam” focus on=”_blank” rel=”noopener noreferrer”>Identity and Accessibility Management (IAM)</the> functions in your accounts. In your function as a security expert, your task would be to detect this suspicious behaviour and consider activities in response. One technique is to find out the baseline of actions of the IAM customers and functions in your accounts and flag any deviations from the discovered baseline-this is the strategy used by GuardDuty when it creates findings such as for example <a href=”https://docs.aws.amazon.com/guardduty/most recent/ug/guardduty_finding-types-iam.html#discovery-iam-anomalousbehavior” target=”_blank” rel=”noopener noreferrer”>Discovery:IAMUser/AnomalousBehavior</the>.</p>
<p>This post targets another approach of fabricating private decoy resources in your account which are designed to look legitimate, but don’t have any delicate or useful data and so are not exposed publicly. These decoys are created to alert you about suspicious activities which could indicate AWS credentials account or exposure compromise. The decoys may be used by you together with other techniques, such as for example creating deception conditions and public and personal honeypots to raised detect suspicious action in your accounts and apps.</p>
<h2>The Fidelity-Isolation-Price trilemma</h2>
<p>Within an ACM Queue article titled <a href=”https://queue.acm.org/details.cfm?id=3494836″ target=”_blank” rel=”noopener noreferrer”>Lamboozling Attackers: A FRESH Era of Deception</the>, Kelly Shortridge and Ryan Petrich released the Fidelity-Isolation-Price (FIC) trilemma that “captures the most crucial measurements of designing deception techniques: fidelity, isolation, and price.” Using their description of the FIC trilemma, we note that decoy AWS assets can be suitable to designing deception techniques:</p>
<ul>
<li><strong>Fidelity</strong> – As the decoys are real AWS sources, they behave like various other legitimate resources and also have high fidelity. For instance, a decoy S3 bucket behaves like any S3 bucket exactly, with the only real exception becoming that the thing data it includes is dummy rather than useful. Nevertheless, the unauthorized user just discovers this reality after downloading the thing data and producing an automated aware of your security group.</li>
<li><strong>Isolation</strong> – It is possible to basically isolate the decoy AWS assets from other sources in the same accounts. For example, an S3 bucket is isolated from some other S3 buckets in exactly the same account inherently. An unauthorized consumer that can browse the decoy S3 bucket will not, by doing therefore, get the capability to access or influence the option of other assets in the account. The credentials attained by the unauthorized user could have permissions to activities on other services, but the existence of the decoy S3 bucket doesn’t increase those permissions at all.</li>
<li><strong>Price</strong> – It is possible to keep the price of deception reduced by choosing AWS sources that have no price or low priced to deploy, are usually deployed through automation, and need no further maintenance or procedure effort. For instance, an S3 bucket with many files which are a several MB in size expenses a fraction of a US cent monthly for storage space. The API request price should be zero, as the bucket was created to be accessed in the standard span of business never. Choosing comparable zero or low-cost assets makes it cost-efficient and feasible to generate such decoy sources in several accounts, including in Creation accounts, where it’s specifically vital that you detect suspicious exercise.</li>
</ul>
<h2>Types of private decoy AWS assets</h2>
<p>The next table shows types of private decoy AWS resources which are high-fidelity, high-isolation, low-cost and so are suitable to end up being deployed within an account which has sensitive applications or even data. The table lists the <a href=”https://docs.aws.amazon.com/awscloudtrail/recent/userguide/cloudtrail-event-reference-record-contents.html” focus on=”_blank” rel=”noopener noreferrer”>CloudTrail event areas</a> offering the name and source for accesses to each resource. These CloudTrail may be used by you events to generate corresponding <a href=”https://aws.amazon.com/eventbridge/” focus on=”_blank” rel=”noopener noreferrer”>Amazon EventBridge</a> rules which will generate notifications and alerts.</p>
<table width=”100%”>
<tbody>
<tr>
<td width=”19%”><strong>Personal decoy resource</strong></td>
<td width=”27%”><strong>CloudTrail event source</strong></td>
<td width=”27%”><strong>CloudTrail event brands</strong></td>
<td width=”27%”><strong>Factors</strong></td>
</tr>
<tr>
<td width=”19%”>S3 bucket and S3 objects with dummy data</td>
<td width=”27%”>s3.amazonaws.com</td>
<td width=”27%”>GetObject<br>HeadObject</td>
<td width=”27%”>Make sure that the S3 items usually do not contain any sensitive information. <p>S3 data events should be allowed in CloudTrail for the decoy S3 bucket </p></td>
</tr>
<tr>
<td width=”19%”>IAM part that needs to be assumed</td>
<td width=”27%”>sts.amazonaws.com</td>
<td width=”27%”>AssumeRole</td>
<td width=”27%”>Make sure that the IAM plans mounted on this role allow gain access to and then decoy resources no other data or even resources. <p>Make sure that the IAM role’s confidence policy just trusts principals in exactly the same accounts to assume the function. </p></td>
</tr>
<tr>
<td width=”19%”>Secrets Manager key (Notice <strong>Be aware</strong> at end of desk) </td>
<td width=”27%”>kms.amazonaws.com</td>
<td width=”27%”>Decrypt</td>
<td width=”27%”>Make sure that the secret worth will not contain any sensitive information.</td>
</tr>
<tr>
<td width=”19%”><a href=”https://docs.aws.amazon.com/systems-manager/most recent/userguide/systems-manager-parameter-store.html” rel=”noopener noreferrer” focus on=”_blank”>AWS Techniques Manager Parameter Shop</the> parameter (Notice <strong>Notice</strong> at end of desk)</td>
<td width=”27%”>kms.amazonaws.com</td>
<td width=”27%”>Decrypt</td>
<td width=”27%”>Make sure that the parameter worth will not contain any sensitive information.</td>
</tr>
<tr>
<td width=”19%”>DynamoDB table which has items with dummy information</td>
<td width=”27%”>dynamodb.amazonaws.com</td>
<td width=”27%”>BatchExecuteStatement<br>BatchGetItem<br>BatchWriteItem<br>DeleteItem<br>ExecuteStatement<br>ExecuteTransaction<br>GetItem<br>PutItem<br>Query<br>Scan<br>TransactGetItems<br>TransactWriteItems<br>UpdateItem</td>
<td width=”27%”>Make sure that the item doesn’t have any sensitive information. <p>DynamoDB information events should be enabled inside CloudTrail for the decoy DynamoDB desk.</p></td>
</tr>
</tbody>
</table>
<blockquote>
<p><strong>Notice:</strong> When CloudTrail Administration API events are delivered to EventBridge, read-only activities such as for example Get*, List*, and Describe* are filtered rather than processed out. To get findings for techniques and Systems Supervisor parameters which are being accessed, you should alert on <period>GetSecretValue</period> and <period>GetParameter</period> API phone calls. Since these are not really processed by EventBridge, it is possible to instead utilize the known fact that strategies and secure string parameters are encrypted through the use of <a href=”https://aws.amazon.com/kms/” focus on=”_blank” rel=”noopener noreferrer”>AWS Key Administration Program (AWS KMS)</the>, and complement on the corresponding AWS KMS Decrypt API phone calls. Which means that successful phone calls from an unauthorized consumer to <period>GetSecretValue</period> and <period>GetParameter</period> could be alerted and matched about.</p>
</blockquote>
<p>Notifications from matching EventBridge guidelines can be delivered to a good <a href=”http://aws.amazon.com/lambda” focus on=”_blank” rel=”noopener noreferrer”>AWS Lambda</a> functionality that generates custom results in Security Hub. These findings may then be delivered to downstream systems that you will find configured in your atmosphere, such as for example your SIEM program or an automated reaction workflow in your Safety Orchestration, Automation, and Reaction system. Figure 1 exhibits this workflow.</p>
<div id=”attachment_26725″ course=”wp-caption aligncenter”>
<img aria-describedby=”caption-attachment-26725″ src=”https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3electronic253a90eee5098477c95c23d/2022/08/04/image1-1024×441.png” alt=”Figure 1: Accesses to decoy sources automatically create custom made Security Hub findings” width=”760″ class=”size-big wp-image-26725″>
<p id=”caption-attachment-26725″ course=”wp-caption-text”>Figure 1: Accesses to decoy assets automatically create custom Protection Hub results</p>
</div>
<h2>Deploy the private decoy sources</h2>
<p>We’ve provided a good <a href=”https://aws.amazon.com/cloudformation/” focus on=”_blank” rel=”noopener noreferrer”>AWS CloudFormation</a> template which you can use to deploy the perfect solution is. The template generates the next private decoy AWS assets in your accounts:</p>
<ul>
<li>DynamoDB desk</li>
<li>IAM part</li>
<li>S3 bucket with a decoy S3 object</li>
<li>Systems Supervisor <a href=”https://docs.aws.amazon.com/kms/most recent/developerguide/services-parameter-store.html” focus on=”_blank” rel=”noopener noreferrer”>SecureString</the> parameter</li>
<li>Techniques Manager key</li>
</ul>
<p>Furthermore, the CloudFormation template deploys the next sources in your account to detect accesses to the decoys and send custom findings to Safety Hub:</p>
<ul>
<li>The CloudTrail information events trail which includes only information events from the decoy S3 DynamoDB and bucket table</li>
<li>Six EventBridge guidelines to complement specific CloudTrail API occasions</li>
<li>Two Lambda features with corresponding IAM functions:
<ul>
<li>The <period>WriteData</period> Lambda functionality is really a CloudFormation custom useful resource that is used to generate the decoy S3 item and the Systems Supervisor <period>SecureString</period> parameter</li>
<li>The <span>Information</period> Lambda functionality is a focus on for the EventBridge guidelines, also it sends custom results to Security Hub once the decoy resources are usually accessed</li>
</ul> </li>
</ul>
<h3>Prerequisites</h3>
<p>The prerequisites to deploying the answer are the following:</p>
<ul>
<li>Protection Hub should be enabled inside the AWS Regions where in fact the private decoys will be deployed, to be able to receive custom results.</li>
<li>A CloudTrail must has been developed by you trail to log <a href=”https://docs.aws.amazon.com/awscloudtrail/most recent/userguide/logging-management-events-with-cloudtrail.html” focus on=”_blank” rel=”noopener noreferrer”>management activities</the> for the AWS accounts in your community where you deploy the personal decoys. This trail could be created in the account or is definitely an < locally;a href=”https://docs.aws.amazon.com/awscloudtrail/most recent/userguide/creating-trail-organization.html” focus on=”_blank” rel=”noopener noreferrer”>corporation trail</the>. Make sure that both < offers been enabled by you;a href=”https://docs.aws.amazon.com/awscloudtrail/most recent/userguide/logging-management-events-with-cloudtrail.html#read-write-events-mgmt” target=”_blank” rel=”noopener noreferrer”>study and write occasions</the>, and allowed all AWS KMS activities in the trail (this is actually the default construction).</li>
</ul>
<h3>Deploy the option</h3>
<p>Following the prerequisites are had by you setup, you can release the CloudFormation template to deploy the private decoys.</p>
<p><strong>To start the template</strong></p>
<ol>
<li>Pick the using <strong>Start Stack</strong> button to release a CloudFormation stack in your accounts. <p><a href=”https://us-east-1.system.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/create/review?templateURL=https://awsiammedia.s3.amazonaws.com/open public/sample/1207-detect-suspicious-activity/rendered_template_cleaned.yaml” rel=”noopener noreferrer” focus on=”_blank”><img src=”https://d2908q01vomqb2.cloudfront.internet/22d200f8670dbdb3e253a90eee5098477c95c23d/2019/06/05/launch-stack-key.png” alt=”Launch Stack” width=”190″ height=”36″ class=”aligncenter size-complete wp-picture-10149″></the></p>
<blockquote>
<p><strong>Take note:</strong> The stack shall start in the N. Virginia (us-east-1) Area. To deploy this alternative into other AWS Areas, download the solution’s CloudFormation template, change it, and deploy it to the selected Area. To get maximum insurance coverage for detecting suspicious action, we advise that you deploy the perfect solution is into your essential production Areas and accounts.</p>
</blockquote> </li>
<li>On the <strong>Specify stack points</strong> web page, enter the stack title, choose < then;strong>Next</strong>. <p>The CloudFormation template use the stack name within the naming of the resources which are created. We advise that you utilize your organization’s present naming conventions for stack titles, and not reference decoy assets, because this may alert any unauthorized consumer to the real reason for the resources they’re wanting to access.</p>
<div id=”attachment_26726″ course=”wp-caption aligncenter”>
<img aria-describedby=”caption-attachment-26726″ src=”https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3electronic253a90eee5098477c95c23d/2022/08/04/picture2.png” alt=”Figure 2: Specify stack points” width=”700″ class=”size-complete wp-image-26726″>
<p id=”caption-attachment-26726″ course=”wp-caption-text”>Figure 2: Specify stack information</p>
</div> </li>
<li>Configure any tags or even other organization-specific stack choices you need, or even accept the default configurations, and choose < then;strong>Next</strong>.</li>
<li>Evaluation the CloudFormation settings and choose the package acknowledging that AWS CloudFormation might create IAM sources with custom names, and then select <strong>Create stack</strong>.</li>
<li>Following the stack has completed deployment, the CloudFormation stack output will show the Amazon Resource Brands (ARNs) of the decoy assets that were created.
<div id=”attachment_26727″ course=”wp-caption aligncenter”>
<img aria-describedby=”caption-attachment-26727″ src=”https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3electronic253a90eee5098477c95c23d/2022/08/04/picture3.png” alt=”Figure 3: CloudFormation stack outputs” width=”700″ class=”size-complete wp-image-26727″>
<p id=”caption-attachment-26727″ course=”wp-caption-text”>Figure 3: CloudFormation stack outputs</p>
</div> </li>
</ol>
<h2>Estimated expenses</h2>
<p>This solution has been made to keep costs only possible, through the use of services which have no associated costs (such as for example IAM roles or any parameters stored in Systems Supervisor Parameter Store), and keeping the usage of covered services (such as for example S3 and DynamoDB) to the very least.</p>
<p>Deploying the answer as outlined within this website post should create a cost of significantly less than $1 monthly for an individual account deployment, please make reference to the < however;a href=”https://calculator.aws/” focus on=”_blank” rel=”noopener noreferrer”>AWS Prices Calculator</the> in which a pricing can be developed by you estimate predicated on your deployment utilizing the most up-to-date pricing details.</p>
<h2>Check the alerts</h2>
<p>In regular circumstances, once you configure the decoys, you will have no attempted usage of these resources, no findings shall be delivered to Security Hub in your account. To check that the construction is working needlessly to say, you can concern the following commands from the device which has programmatic usage of your account where in fact the private decoy sources have been deployed. To perform each command, substitute the bracketed, italicized textual content with your personal information. You will find the details for every of the assets in the outputs portion of the CloudFormation stack after it’s been deployed effectively.</p>
<p>S3 object gain access to</p>
<ul>
<li>aws s3 cp s3://<period><bucket_name/object_title> </period> /tmp</li>
<li>aws s3 cp s3://<period><bucket_name/object_title> </period> s3://<period><any_existing_bucket></period></li>
</ul>
<p>IAM function assumption</p>
<ul>
<li>aws sts assume-part -role-arn <period><function_title></period> -role-session-title BlogTestRole</li>
</ul>
<p>Strategies Manager entry</p>
<ul>
<li>aws secretsmanager get-secret-worth -secret-id <period><key_title></period> </li>
</ul>
<p>Parameter Shop access</p>
<ul>
<li>aws ssm get-parameters -brands <period><ssm_parameter></span> -with-decryption <p>DynamoDB desk scan</p> </li>
<li>aws dynamodb scan -table-title <period><desk_title></period></li>
</ul>
<p>A good example of what these test-generated findings appears like is shown in Number 4.</p>
<div id=”attachment_26728″ course=”wp-caption aligncenter”>
<img aria-describedby=”caption-attachment-26728″ src=”https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3electronic253a90eee5098477c95c23d/2022/08/04/image4-1024×336.png” alt=”Figure 4: Security Hub results” width=”700″ class=”size-huge wp-image-26728″>
<p id=”caption-attachment-26728″ course=”wp-caption-text”>Figure 4: Security Hub results</p>
</div>
<h2>Factors</h2>
<p>Think about the right after as you deploy decoy AWS sources:</p>
<ul>
<li>You should look at decoy AWS assets as enhancements to your <a href=”https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/protection.html” focus on=”_blank” rel=”noopener noreferrer”>foundational security</a> handles. Your foundational controls will include these measures:
<ul>
<li>Assist in preventing the compromise of AWS credentials and restriction the privileges of credentials by applying strong <a href=”https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/identity-administration.html” focus on=”_blank” rel=”noopener noreferrer”>identity administration</the> and <a href=”https://docs.aws.amazon.com/wellarchitected/most recent/security-pillar/permissions-management.html” focus on=”_blank” rel=”noopener noreferrer”>permissions administration</the>.</li>
<li>And investigate alerts generated by decoy sources by implementing < identify;a href=”https://docs.aws.amazon.com/wellarchitected/most recent/security-pillar/detection.html” focus on=”_blank” rel=”noopener noreferrer”>detective controls</the>.</li>
<li>Carry out <a href=”https://docs.aws.amazon.com/wellarchitected/most recent/security-pillar/incident-response.html” focus on=”_blank” rel=”noopener noreferrer”>incident reaction</the> mechanisms to react to and mitigate the possible impact of safety incidents, like a decoy AWS resource getting accessed.</li>
</ul> </li>
<li>You need to make sure that your monitoring providers and equipment are configured to query the construction of resources rather than the info stored in resources. In any other case, you might get a big volume of fake positives because every correct time a source is accessed, a custom made finding is established in Safety Hub. For example, consider a ongoing support like Security Hub Protection Standards checks, or perhaps a cloud security position management (CSPM) device that monitors your S3 buckets by describing the attributes of most buckets in your accounts. Such tools will see the decoy S3 bucket and can interrogate its construction by making telephone calls such as <period>GetBucketPolicy</period> and <period>GetBucketLogging</period>. However, provided that these equipment don’t make an effort to read information in the bucket through phone calls such as <period>GetObject</period>, the EventBridge guidelines that are configured simply because described in this article won’t generate a locating.</li>
<li>As a particular example of the prior point, make sure that you don’t work a <a href=”https://docs.aws.amazon.com/macie/latest/consumer/discovery-jobs.html” focus on=”_blank” rel=”noopener noreferrer”>delicate data discovery job inside Amazon Macie</the> on the decoy S3 bucket, in order to avoid fake alerts. It is possible to configure <a href=”https://aws.amazon.com/macie/” focus on=”_blank” rel=”noopener noreferrer”>Amazon Macie</the> to <a href=”https://docs.aws.amazon.com/macie/most recent/user/monitoring-s3.html” focus on=”_blank” rel=”noopener noreferrer”>keep track of the metadata of one’s S3 buckets</the>, because those activities won’t generate alerts.</li>
<li>The perfect solution is generates custom findings in Safety Hub limited to successful accesses of Techniques Manager secrets and Techniques Manager parameters. However, both prosperous and unsuccessful accesses of S3 DynamoDB and items items, and IAM part assumption, will create custom findings in Protection Hub.</li>
</ul>
<h2>Bottom line</h2>
<p>In this article, we discussed the benefits of using private decoy AWS assets to identify suspicious activities inside your account and how these decoys can complement your present security solutions. You discovered how to create personal decoys, create alerting, and ingest (and check) these alerts as custom made findings into Safety Hub for central presence across your AWS atmosphere. The answer deployment included a couple of common sources as private decoys; nevertheless, the required templates and code are available in our <a href=”https://github.com/aws-samples/aws-private-decoy-resources” focus on=”_blank” rel=”noopener noreferrer”>GitHub</the> repository, and you will expand and customize these to include other assets that you want relating to your accounts.</p>
<p>In the event that you would also prefer to find out about using CloudTrail as another approach to detecting unexpected behavior inside your accounts, see the post <a href=”https://aws.amazon.com/websites/security/using-cloudtrail-to-identify-unexpected-behaviors-in-individual-workloads/” focus on=”_blank” rel=”noopener noreferrer”>Making use of CloudTrail to identify unforeseen behaviors in person workloads</a> to learn more.</p>
<p>When you have feedback concerning this post, submit remarks in the <strong>Remarks</strong> area below. Should you have questions concerning this blog post, <a href=”https://gaming console.aws.amazon.com/assistance/home” focus on=”_blank” rel=”noopener noreferrer”>contact AWS Assistance</the>.</p>
<p><strong>Want a lot more AWS Security news? Stick to us on <a name=”Twitter” href=”https://twitter.com/AWSsecurityinfo” focus on=”_blank” rel=”noopener noreferrer”>Twitter</the>.</strong></p>
<!– ‘”` –>