AWS Systems Manager SecureString Parameter Request with Decryption Flag
Detects the first occurrence of a user identity accessing AWS Systems Manager (SSM) SecureString parameters using the
GetParameter or GetParameters API actions with credentials in the request parameters. This could indicate that the user
is accessing sensitive information. This rule detects when a user accesses a SecureString parameter with the
withDecryption
parameter set to true. This is a
NewTerms rule that
detects the first occurrence of a specific AWS ARN accessing SecureString parameters with decryption within the last 10
days.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/04/12"
3integration = ["aws"]
4maturity = "production"
5updated_date = "2024/07/23"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects the first occurrence of a user identity accessing AWS Systems Manager (SSM) SecureString parameters using the
11GetParameter or GetParameters API actions with credentials in the request parameters. This could indicate that the user
12is accessing sensitive information. This rule detects when a user accesses a SecureString parameter with the
13`withDecryption` parameter set to true. This is a
14[NewTerms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that
15detects the first occurrence of a specific AWS ARN accessing SecureString parameters with decryption within the last 10
16days.
17"""
18false_positives = [
19 """
20 Users may legitimately access AWS Systems Manager (SSM) parameters using the GetParameter, GetParameters, or
21 DescribeParameters API actions with credentials in the request parameters. Ensure that the user has a legitimate
22 reason to access the parameters and that the credentials are secured.
23 """,
24]
25from = "now-9m"
26index = ["filebeat-*", "logs-aws.cloudtrail*"]
27language = "kuery"
28license = "Elastic License v2"
29name = "AWS Systems Manager SecureString Parameter Request with Decryption Flag"
30note = """
31## Triage and Analysis
32
33### Investigating AWS Systems Manager SecureString Parameter Request with Decryption Flag
34
35This rule detects when an AWS resource accesses SecureString parameters within AWS Systems Manager (SSM) with the decryption flag set to true. SecureStrings are encrypted using a KMS key, and accessing these with decryption can indicate attempts to access sensitive data.
36
37Adversaries may target SecureStrings to retrieve sensitive information such as encryption keys, passwords, and other credentials that are stored securely. Accessing these parameters with decryption enabled is particularly concerning because it implies the adversary is attempting to bypass the encryption to obtain plain text values that can be immediately used or exfiltrated. This behavior might be part of a larger attack strategy aimed at escalating privileges or moving laterally within an environment to access protected data or critical infrastructure.
38
39#### Possible Investigation Steps
40
41- **Review the Access Event**: Identify the specific API call (`GetParameter` or `GetParameters`) that triggered the rule. Examine the `request_parameters` for `withDecryption` set to true and the name of the accessed parameter.
42- **Verify User Identity and Access Context**: Check the `user_identity` details to understand who accessed the parameter and their role within the organization. This includes checking the ARN and access key ID to determine if the access was authorized.
43- **Contextualize with User Behavior**: Assess whether the access pattern fits the user’s normal behavior or job responsibilities. Investigate any out-of-pattern activities around the time of the event.
44- **Analyze Geographic and IP Context**: Using the `source.ip` and `source.geo` information, verify if the request came from a trusted location or if there are any anomalies that suggest a compromised account.
45- **Inspect Related CloudTrail Events**: Look for other related events in CloudTrail to see if there was unusual activity before or after this event, such as unusual login attempts, changes to permissions, or other API calls that could indicate broader unauthorized actions.
46
47### False Positive Analysis
48
49- **Legitimate Administrative Use**: Verify if the decryption of SecureString parameters is a common practice for the user’s role, particularly if used in automation scripts or deployment processes like those involving Terraform or similar tools.
50
51### Response and Remediation
52
53- **Immediate Verification**: Contact the user or team responsible for the API call to verify their intent and authorization.
54- **Review and Revise Permissions**: If the access was unauthorized, review the permissions assigned to the user or role to ensure they align with the principle of least privilege.
55- **Audit Parameter Access Policies**: Ensure that policies governing access to SecureString parameters are strict and audit logs are enabled to track access with decryption.
56- **Incident Response**: If suspicious activity is confirmed, follow through with your organization's incident response plan to mitigate any potential security issues.
57- **Enhanced Monitoring and Alerting**: Strengthen monitoring rules to detect unusual accesses to SecureString parameters, especially those that involve decryption.
58
59### Additional Information
60
61This rule focuses solely on SecureStrings in AWS Systems Manager (SSM) parameters. SecureStrings are encrypted using an AWS Key Management Service (KMS) key. When a user accesses a SecureString parameter, they can specify whether the parameter should be decrypted. If the user specifies that the parameter should be decrypted, the decrypted value is returned in the response.
62"""
63references = [
64 "https://docs.aws.amazon.com/vsts/latest/userguide/systemsmanager-getparameter.html",
65 "https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html",
66]
67risk_score = 47
68rule_id = "fd332492-0bc6-11ef-b5be-f661ea17fbcc"
69setup = "This rule requires that AWS CloudTrail logs are ingested into the Elastic Stack. Ensure that the AWS integration is properly configured to collect AWS CloudTrail logs. This rule also requires event logging for AWS Systems Manager (SSM) API actions which can be enabled in CloudTrail's data events settings.\n"
70severity = "medium"
71tags = [
72 "Domain: Cloud",
73 "Data Source: AWS",
74 "Data Source: Amazon Web Services",
75 "Data Source: AWS Systems Manager",
76 "Tactic: Credential Access",
77 "Resources: Investigation Guide",
78]
79timestamp_override = "event.ingested"
80type = "new_terms"
81
82query = '''
83event.dataset: aws.cloudtrail
84 and event.provider: "ssm.amazonaws.com"
85 and event.action: (GetParameters or GetParameter)
86 and event.outcome: success
87 and aws.cloudtrail.request_parameters: *withDecryption=true*
88'''
89
90
91[[rule.threat]]
92framework = "MITRE ATT&CK"
93[[rule.threat.technique]]
94id = "T1555"
95name = "Credentials from Password Stores"
96reference = "https://attack.mitre.org/techniques/T1555/"
97[[rule.threat.technique.subtechnique]]
98id = "T1555.006"
99name = "Cloud Secrets Management Stores"
100reference = "https://attack.mitre.org/techniques/T1555/006/"
101
102
103
104[rule.threat.tactic]
105id = "TA0006"
106name = "Credential Access"
107reference = "https://attack.mitre.org/tactics/TA0006/"
108
109[rule.new_terms]
110field = "new_terms_fields"
111value = ["aws.cloudtrail.user_identity.arn"]
112[[rule.new_terms.history_window_start]]
113field = "history_window_start"
114value = "now-10d"
Triage and Analysis
Investigating AWS Systems Manager SecureString Parameter Request with Decryption Flag
This rule detects when an AWS resource accesses SecureString parameters within AWS Systems Manager (SSM) with the decryption flag set to true. SecureStrings are encrypted using a KMS key, and accessing these with decryption can indicate attempts to access sensitive data.
Adversaries may target SecureStrings to retrieve sensitive information such as encryption keys, passwords, and other credentials that are stored securely. Accessing these parameters with decryption enabled is particularly concerning because it implies the adversary is attempting to bypass the encryption to obtain plain text values that can be immediately used or exfiltrated. This behavior might be part of a larger attack strategy aimed at escalating privileges or moving laterally within an environment to access protected data or critical infrastructure.
Possible Investigation Steps
- Review the Access Event: Identify the specific API call (
GetParameter
orGetParameters
) that triggered the rule. Examine therequest_parameters
forwithDecryption
set to true and the name of the accessed parameter. - Verify User Identity and Access Context: Check the
user_identity
details to understand who accessed the parameter and their role within the organization. This includes checking the ARN and access key ID to determine if the access was authorized. - Contextualize with User Behavior: Assess whether the access pattern fits the user’s normal behavior or job responsibilities. Investigate any out-of-pattern activities around the time of the event.
- Analyze Geographic and IP Context: Using the
source.ip
andsource.geo
information, verify if the request came from a trusted location or if there are any anomalies that suggest a compromised account. - Inspect Related CloudTrail Events: Look for other related events in CloudTrail to see if there was unusual activity before or after this event, such as unusual login attempts, changes to permissions, or other API calls that could indicate broader unauthorized actions.
False Positive Analysis
- Legitimate Administrative Use: Verify if the decryption of SecureString parameters is a common practice for the user’s role, particularly if used in automation scripts or deployment processes like those involving Terraform or similar tools.
Response and Remediation
- Immediate Verification: Contact the user or team responsible for the API call to verify their intent and authorization.
- Review and Revise Permissions: If the access was unauthorized, review the permissions assigned to the user or role to ensure they align with the principle of least privilege.
- Audit Parameter Access Policies: Ensure that policies governing access to SecureString parameters are strict and audit logs are enabled to track access with decryption.
- Incident Response: If suspicious activity is confirmed, follow through with your organization's incident response plan to mitigate any potential security issues.
- Enhanced Monitoring and Alerting: Strengthen monitoring rules to detect unusual accesses to SecureString parameters, especially those that involve decryption.
Additional Information
This rule focuses solely on SecureStrings in AWS Systems Manager (SSM) parameters. SecureStrings are encrypted using an AWS Key Management Service (KMS) key. When a user accesses a SecureString parameter, they can specify whether the parameter should be decrypted. If the user specifies that the parameter should be decrypted, the decrypted value is returned in the response.
References
Related rules
- First Time Seen AWS Secret Value Accessed in Secrets Manager
- AWS EC2 Admin Credential Fetch via Assumed Role
- AWS IAM Brute Force of Assume Role Policy
- AWS IAM User Addition to Group
- AWS S3 Bucket Replicated to Another Account