AWS EC2 Deprecated AMI Discovery

Identifies when a user has queried for deprecated Amazon Machine Images (AMIs) in AWS. This may indicate an adversary whom is looking for outdated AMIs that may be vulnerable to exploitation. While deprecated AMIs are not inherently malicious or indicate breach, they may be more susceptible to vulnerabilities and should be investigated for potential security risks.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2024/12/24"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/01/17"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies when a user has queried for deprecated Amazon Machine Images (AMIs) in AWS. This may indicate an adversary
 11whom is looking for outdated AMIs that may be vulnerable to exploitation. While deprecated AMIs are not inherently
 12malicious or indicate breach, they may be more susceptible to vulnerabilities and should be investigated for potential
 13security risks.
 14"""
 15false_positives = [
 16    "Legitimate use of deprecated AMIs for testing or development purposes.",
 17    "Automated tools or scripts that query for deprecated AMIs as part of a security assessment.",
 18    "Misconfigured applications or services that rely on deprecated AMIs for compatibility reasons.",
 19    "Administrators or developers who are unaware of the deprecation status of AMIs they are using.",
 20]
 21from = "now-9m"
 22index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 23language = "kuery"
 24license = "Elastic License v2"
 25name = "AWS EC2 Deprecated AMI Discovery"
 26note = """## Triage and analysis
 27
 28## Investigating AWS EC2 Deprecated AMI Discovery
 29
 30This rule detects when a user queries AWS for deprecated Amazon Machine Images (AMIs). While deprecated AMIs are not inherently malicious, their use can introduce vulnerabilities or misconfigurations. Adversaries may exploit deprecated AMIs in search of outdated or unpatched systems. Investigating these queries can help identify potential risks or misconfigurations.
 31
 32### Possible Investigation Steps
 33
 341. **Identify the User Performing the Query**:
 35   - Review the `aws.cloudtrail.user_identity.arn` field to determine the AWS user or role making the request.
 36   - Check `aws.cloudtrail.user_identity.type` and `aws.cloudtrail.user_identity.access_key_id` to verify the type of access (e.g., IAM user, role, or federated identity).
 37   - Investigate the `related.user` field for additional user context.
 38
 392. **Analyze the Source of the Request**:
 40   - Review the `source.ip` field to determine the IP address of the source making the request.
 41   - Check `source.geo` for the geographic location of the IP address.
 42   - Analyze the `user_agent.original` field to determine the client or tool used (e.g., AWS CLI, SDK).
 43
 443. **Review the Request Details**:
 45   - Inspect the `aws.cloudtrail.flattened.request_parameters` field for query parameters, such as `includeDeprecated=true`.
 46   - Confirm that the request explicitly includes deprecated AMIs (`includeDeprecated=true`) and is tied to specific owners via the `ownersSet` field.
 47   - Verify the `event.action` is `DescribeImages` and the `event.outcome` is `success`.
 48
 494. **Validate the Query Context**:
 50   - Determine if the request is part of legitimate activity, such as:
 51     - Security assessments or vulnerability scans.
 52     - Maintenance or testing of legacy systems.
 53   - Check if the query aligns with recent changes in the AWS environment, such as new configurations or services.
 54
 555. **Correlate with Other Events**:
 56   - Investigate additional AWS API calls from the same user or IP address for signs of reconnaissance or exploitation.
 57   - Review logs for related actions, such as launching instances from deprecated AMIs (`RunInstances` API call).
 58
 596. **Assess Security Risks**:
 60   - Evaluate the use of deprecated AMIs within your environment and their associated vulnerabilities.
 61   - Ensure that deprecated AMIs are not being used in production environments or systems exposed to external threats.
 62
 63### False Positive Analysis
 64
 65- **Legitimate Use**: Users may query for deprecated AMIs for testing or compatibility purposes.
 66- **Automated Tools**: Security or compliance tools might query deprecated AMIs as part of regular assessments.
 67- **Misconfigured Services**: Legacy systems may rely on deprecated AMIs for compatibility, leading to legitimate queries.
 68
 69### Response and Remediation
 70
 711. **Immediate Actions**:
 72   - Verify the intent of the user querying for deprecated AMIs.
 73   - Restrict IAM permissions to prevent unauthorized access to deprecated AMIs.
 74
 752. **Mitigation Steps**:
 76   - Identify and replace deprecated AMIs in use with supported and updated AMIs.
 77   - Update AWS IAM policies to minimize permissions for querying or using deprecated AMIs.
 78
 793. **Enhance Monitoring**:
 80   - Enable alerts for future queries involving deprecated AMIs or other unusual API activity.
 81   - Monitor CloudTrail logs for additional reconnaissance or suspicious behavior.
 82
 834. **Security Audits**:
 84   - Conduct a review of all AMIs in use across your environment to identify outdated or deprecated images.
 85   - Remove any deprecated AMIs from production environments and restrict their usage to isolated testing.
 86
 875. **Add Rule Exceptions**:
 88   - Create exceptions for legitimate use cases or automated tools that query for deprecated AMIs.
 89   - Document and communicate the exceptions to relevant teams to avoid future alerts.
 90
 91### Additional Resources
 92
 93- [AWS Documentation: AMI Lifecycle Management](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html)
 94- [AWS Documentation: Deprecated AMIs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ami-deprecate.html)
 95"""
 96references = [
 97    "https://hackingthe.cloud/aws/exploitation/Misconfigured_Resource-Based_Policies/exploting_public_resources_attack_playbook/",
 98]
 99risk_score = 21
100rule_id = "264c641e-c202-11ef-993e-f661ea17fbce"
101severity = "low"
102tags = [
103    "Domain: Cloud",
104    "Data Source: AWS",
105    "Data Source: AWS EC2",
106    "Resources: Investigation Guide",
107    "Use Case: Threat Detection",
108    "Tactic: Discovery",
109]
110timestamp_override = "event.ingested"
111type = "query"
112
113query = '''
114event.dataset: "aws.cloudtrail"
115    and event.provider: "ec2.amazonaws.com"
116    and event.action: "DescribeImages"
117    and event.outcome: "success"
118    and aws.cloudtrail.flattened.request_parameters.includeDeprecated: "true"
119    and aws.cloudtrail.request_parameters: *owner=*
120'''
121
122
123[[rule.threat]]
124framework = "MITRE ATT&CK"
125[[rule.threat.technique]]
126id = "T1580"
127name = "Cloud Infrastructure Discovery"
128reference = "https://attack.mitre.org/techniques/T1580/"
129
130
131[rule.threat.tactic]
132id = "TA0007"
133name = "Discovery"
134reference = "https://attack.mitre.org/tactics/TA0007/"
135
136[rule.investigation_fields]
137field_names = [
138    "aws.cloudtrail.user_identity.arn",
139    "aws.cloudtrail.user_identity.type",
140    "aws.cloudtrail.user_identity.access_key_id",
141    "source.ip",
142    "cloud.account.id",
143    "cloud.region",
144    "user_agent.original",
145    "event.action",
146]
...
toml

This rule detects when a user queries AWS for deprecated Amazon Machine Images (AMIs). While deprecated AMIs are not inherently malicious, their use can introduce vulnerabilities or misconfigurations. Adversaries may exploit deprecated AMIs in search of outdated or unpatched systems. Investigating these queries can help identify potential risks or misconfigurations.

  1. Identify the User Performing the Query:

    • Review the aws.cloudtrail.user_identity.arn field to determine the AWS user or role making the request.
    • Check aws.cloudtrail.user_identity.type and aws.cloudtrail.user_identity.access_key_id to verify the type of access (e.g., IAM user, role, or federated identity).
    • Investigate the related.user field for additional user context.
  2. Analyze the Source of the Request:

    • Review the source.ip field to determine the IP address of the source making the request.
    • Check source.geo for the geographic location of the IP address.
    • Analyze the user_agent.original field to determine the client or tool used (e.g., AWS CLI, SDK).
  3. Review the Request Details:

    • Inspect the aws.cloudtrail.flattened.request_parameters field for query parameters, such as includeDeprecated=true.
    • Confirm that the request explicitly includes deprecated AMIs (includeDeprecated=true) and is tied to specific owners via the ownersSet field.
    • Verify the event.action is DescribeImages and the event.outcome is success.
  4. Validate the Query Context:

    • Determine if the request is part of legitimate activity, such as:
      • Security assessments or vulnerability scans.
      • Maintenance or testing of legacy systems.
    • Check if the query aligns with recent changes in the AWS environment, such as new configurations or services.
  5. Correlate with Other Events:

    • Investigate additional AWS API calls from the same user or IP address for signs of reconnaissance or exploitation.
    • Review logs for related actions, such as launching instances from deprecated AMIs (RunInstances API call).
  6. Assess Security Risks:

    • Evaluate the use of deprecated AMIs within your environment and their associated vulnerabilities.
    • Ensure that deprecated AMIs are not being used in production environments or systems exposed to external threats.
  • Legitimate Use: Users may query for deprecated AMIs for testing or compatibility purposes.
  • Automated Tools: Security or compliance tools might query deprecated AMIs as part of regular assessments.
  • Misconfigured Services: Legacy systems may rely on deprecated AMIs for compatibility, leading to legitimate queries.
  1. Immediate Actions:

    • Verify the intent of the user querying for deprecated AMIs.
    • Restrict IAM permissions to prevent unauthorized access to deprecated AMIs.
  2. Mitigation Steps:

    • Identify and replace deprecated AMIs in use with supported and updated AMIs.
    • Update AWS IAM policies to minimize permissions for querying or using deprecated AMIs.
  3. Enhance Monitoring:

    • Enable alerts for future queries involving deprecated AMIs or other unusual API activity.
    • Monitor CloudTrail logs for additional reconnaissance or suspicious behavior.
  4. Security Audits:

    • Conduct a review of all AMIs in use across your environment to identify outdated or deprecated images.
    • Remove any deprecated AMIs from production environments and restrict their usage to isolated testing.
  5. Add Rule Exceptions:

    • Create exceptions for legitimate use cases or automated tools that query for deprecated AMIs.
    • Document and communicate the exceptions to relevant teams to avoid future alerts.

References

Related rules

to-top