AWS Systems Manager SecureString Parameter Request with Decryption Flag

  1[metadata]
  2creation_date = "2024/04/12"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2024/07/23"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects the first occurrence of a user identity accessing AWS Systems Manager (SSM) SecureString parameters using the
 11GetParameter or GetParameters API actions with credentials in the request parameters. This could indicate that the user
 12is accessing sensitive information. This rule detects when a user accesses a SecureString parameter with the
 13`withDecryption` parameter set to true. This is a
 14[NewTerms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that
 15detects the first occurrence of a specific AWS ARN accessing SecureString parameters with decryption within the last 10
 16days.
 17"""
 18false_positives = [
 19    """
 20    Users may legitimately access AWS Systems Manager (SSM) parameters using the GetParameter, GetParameters, or
 21    DescribeParameters API actions with credentials in the request parameters. Ensure that the user has a legitimate
 22    reason to access the parameters and that the credentials are secured.
 23    """,
 24]
 25from = "now-9m"
 26index = ["filebeat-*", "logs-aws.cloudtrail*"]
 27language = "kuery"
 28license = "Elastic License v2"
 29name = "AWS Systems Manager SecureString Parameter Request with Decryption Flag"
 30note = """
 31## Triage and Analysis
 32
 33### Investigating AWS Systems Manager SecureString Parameter Request with Decryption Flag
 34
 35This rule detects when an AWS resource accesses SecureString parameters within AWS Systems Manager (SSM) with the decryption flag set to true. SecureStrings are encrypted using a KMS key, and accessing these with decryption can indicate attempts to access sensitive data.
 36
 37Adversaries may target SecureStrings to retrieve sensitive information such as encryption keys, passwords, and other credentials that are stored securely. Accessing these parameters with decryption enabled is particularly concerning because it implies the adversary is attempting to bypass the encryption to obtain plain text values that can be immediately used or exfiltrated. This behavior might be part of a larger attack strategy aimed at escalating privileges or moving laterally within an environment to access protected data or critical infrastructure.
 38
 39#### Possible Investigation Steps
 40
 41- **Review the Access Event**: Identify the specific API call (`GetParameter` or `GetParameters`) that triggered the rule. Examine the `request_parameters` for `withDecryption` set to true and the name of the accessed parameter.
 42- **Verify User Identity and Access Context**: Check the `user_identity` details to understand who accessed the parameter and their role within the organization. This includes checking the ARN and access key ID to determine if the access was authorized.
 43- **Contextualize with User Behavior**: Assess whether the access pattern fits the user’s normal behavior or job responsibilities. Investigate any out-of-pattern activities around the time of the event.
 44- **Analyze Geographic and IP Context**: Using the `source.ip` and `source.geo` information, verify if the request came from a trusted location or if there are any anomalies that suggest a compromised account.
 45- **Inspect Related CloudTrail Events**: Look for other related events in CloudTrail to see if there was unusual activity before or after this event, such as unusual login attempts, changes to permissions, or other API calls that could indicate broader unauthorized actions.
 46
 47### False Positive Analysis
 48
 49- **Legitimate Administrative Use**: Verify if the decryption of SecureString parameters is a common practice for the user’s role, particularly if used in automation scripts or deployment processes like those involving Terraform or similar tools.
 50
 51### Response and Remediation
 52
 53- **Immediate Verification**: Contact the user or team responsible for the API call to verify their intent and authorization.
 54- **Review and Revise Permissions**: If the access was unauthorized, review the permissions assigned to the user or role to ensure they align with the principle of least privilege.
 55- **Audit Parameter Access Policies**: Ensure that policies governing access to SecureString parameters are strict and audit logs are enabled to track access with decryption.
 56- **Incident Response**: If suspicious activity is confirmed, follow through with your organization's incident response plan to mitigate any potential security issues.
 57- **Enhanced Monitoring and Alerting**: Strengthen monitoring rules to detect unusual accesses to SecureString parameters, especially those that involve decryption.
 58
 59### Additional Information
 60
 61This rule focuses solely on SecureStrings in AWS Systems Manager (SSM) parameters. SecureStrings are encrypted using an AWS Key Management Service (KMS) key. When a user accesses a SecureString parameter, they can specify whether the parameter should be decrypted. If the user specifies that the parameter should be decrypted, the decrypted value is returned in the response.
 62"""
 63references = [
 64    "https://docs.aws.amazon.com/vsts/latest/userguide/systemsmanager-getparameter.html",
 65    "https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html",
 66]
 67risk_score = 47
 68rule_id = "fd332492-0bc6-11ef-b5be-f661ea17fbcc"
 69setup = "This rule requires that AWS CloudTrail logs are ingested into the Elastic Stack. Ensure that the AWS integration is properly configured to collect AWS CloudTrail logs. This rule also requires event logging for AWS Systems Manager (SSM) API actions which can be enabled in CloudTrail's data events settings.\n"
 70severity = "medium"
 71tags = [
 72    "Domain: Cloud",
 73    "Data Source: AWS",
 74    "Data Source: Amazon Web Services",
 75    "Data Source: AWS Systems Manager",
 76    "Tactic: Credential Access",
 77    "Resources: Investigation Guide",
 78]
 79timestamp_override = "event.ingested"
 80type = "new_terms"
 81
 82query = '''
 83event.dataset: aws.cloudtrail
 84    and event.provider: "ssm.amazonaws.com"
 85    and event.action: (GetParameters or GetParameter)
 86    and event.outcome: success
 87    and aws.cloudtrail.request_parameters: *withDecryption=true*
 88'''
 89
 90
 91[[rule.threat]]
 92framework = "MITRE ATT&CK"
 93[[rule.threat.technique]]
 94id = "T1555"
 95name = "Credentials from Password Stores"
 96reference = "https://attack.mitre.org/techniques/T1555/"
 97[[rule.threat.technique.subtechnique]]
 98id = "T1555.006"
 99name = "Cloud Secrets Management Stores"
100reference = "https://attack.mitre.org/techniques/T1555/006/"
101
102
103
104[rule.threat.tactic]
105id = "TA0006"
106name = "Credential Access"
107reference = "https://attack.mitre.org/tactics/TA0006/"
108
109[rule.new_terms]
110field = "new_terms_fields"
111value = ["aws.cloudtrail.user_identity.arn"]
112[[rule.new_terms.history_window_start]]
113field = "history_window_start"
114value = "now-10d"