AWS EC2 Deprecated AMI Discovery
Identifies when a user has queried for deprecated Amazon Machine Images (AMIs) in AWS. This may indicate an adversary whom is looking for outdated AMIs that may be vulnerable to exploitation. While deprecated AMIs are not inherently malicious or indicate breach, they may be more susceptible to vulnerabilities and should be investigated for potential security risks.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/12/24"
3integration = ["aws"]
4maturity = "production"
5updated_date = "2025/01/17"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies when a user has queried for deprecated Amazon Machine Images (AMIs) in AWS. This may indicate an adversary
11whom is looking for outdated AMIs that may be vulnerable to exploitation. While deprecated AMIs are not inherently
12malicious or indicate breach, they may be more susceptible to vulnerabilities and should be investigated for potential
13security risks.
14"""
15false_positives = [
16 "Legitimate use of deprecated AMIs for testing or development purposes.",
17 "Automated tools or scripts that query for deprecated AMIs as part of a security assessment.",
18 "Misconfigured applications or services that rely on deprecated AMIs for compatibility reasons.",
19 "Administrators or developers who are unaware of the deprecation status of AMIs they are using.",
20]
21from = "now-9m"
22index = ["filebeat-*", "logs-aws.cloudtrail-*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "AWS EC2 Deprecated AMI Discovery"
26note = """## Triage and analysis
27
28## Investigating AWS EC2 Deprecated AMI Discovery
29
30This rule detects when a user queries AWS for deprecated Amazon Machine Images (AMIs). While deprecated AMIs are not inherently malicious, their use can introduce vulnerabilities or misconfigurations. Adversaries may exploit deprecated AMIs in search of outdated or unpatched systems. Investigating these queries can help identify potential risks or misconfigurations.
31
32### Possible Investigation Steps
33
341. **Identify the User Performing the Query**:
35 - Review the `aws.cloudtrail.user_identity.arn` field to determine the AWS user or role making the request.
36 - Check `aws.cloudtrail.user_identity.type` and `aws.cloudtrail.user_identity.access_key_id` to verify the type of access (e.g., IAM user, role, or federated identity).
37 - Investigate the `related.user` field for additional user context.
38
392. **Analyze the Source of the Request**:
40 - Review the `source.ip` field to determine the IP address of the source making the request.
41 - Check `source.geo` for the geographic location of the IP address.
42 - Analyze the `user_agent.original` field to determine the client or tool used (e.g., AWS CLI, SDK).
43
443. **Review the Request Details**:
45 - Inspect the `aws.cloudtrail.flattened.request_parameters` field for query parameters, such as `includeDeprecated=true`.
46 - Confirm that the request explicitly includes deprecated AMIs (`includeDeprecated=true`) and is tied to specific owners via the `ownersSet` field.
47 - Verify the `event.action` is `DescribeImages` and the `event.outcome` is `success`.
48
494. **Validate the Query Context**:
50 - Determine if the request is part of legitimate activity, such as:
51 - Security assessments or vulnerability scans.
52 - Maintenance or testing of legacy systems.
53 - Check if the query aligns with recent changes in the AWS environment, such as new configurations or services.
54
555. **Correlate with Other Events**:
56 - Investigate additional AWS API calls from the same user or IP address for signs of reconnaissance or exploitation.
57 - Review logs for related actions, such as launching instances from deprecated AMIs (`RunInstances` API call).
58
596. **Assess Security Risks**:
60 - Evaluate the use of deprecated AMIs within your environment and their associated vulnerabilities.
61 - Ensure that deprecated AMIs are not being used in production environments or systems exposed to external threats.
62
63### False Positive Analysis
64
65- **Legitimate Use**: Users may query for deprecated AMIs for testing or compatibility purposes.
66- **Automated Tools**: Security or compliance tools might query deprecated AMIs as part of regular assessments.
67- **Misconfigured Services**: Legacy systems may rely on deprecated AMIs for compatibility, leading to legitimate queries.
68
69### Response and Remediation
70
711. **Immediate Actions**:
72 - Verify the intent of the user querying for deprecated AMIs.
73 - Restrict IAM permissions to prevent unauthorized access to deprecated AMIs.
74
752. **Mitigation Steps**:
76 - Identify and replace deprecated AMIs in use with supported and updated AMIs.
77 - Update AWS IAM policies to minimize permissions for querying or using deprecated AMIs.
78
793. **Enhance Monitoring**:
80 - Enable alerts for future queries involving deprecated AMIs or other unusual API activity.
81 - Monitor CloudTrail logs for additional reconnaissance or suspicious behavior.
82
834. **Security Audits**:
84 - Conduct a review of all AMIs in use across your environment to identify outdated or deprecated images.
85 - Remove any deprecated AMIs from production environments and restrict their usage to isolated testing.
86
875. **Add Rule Exceptions**:
88 - Create exceptions for legitimate use cases or automated tools that query for deprecated AMIs.
89 - Document and communicate the exceptions to relevant teams to avoid future alerts.
90
91### Additional Resources
92
93- [AWS Documentation: AMI Lifecycle Management](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html)
94- [AWS Documentation: Deprecated AMIs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ami-deprecate.html)
95"""
96references = [
97 "https://hackingthe.cloud/aws/exploitation/Misconfigured_Resource-Based_Policies/exploting_public_resources_attack_playbook/",
98]
99risk_score = 21
100rule_id = "264c641e-c202-11ef-993e-f661ea17fbce"
101severity = "low"
102tags = [
103 "Domain: Cloud",
104 "Data Source: AWS",
105 "Data Source: AWS EC2",
106 "Resources: Investigation Guide",
107 "Use Case: Threat Detection",
108 "Tactic: Discovery",
109]
110timestamp_override = "event.ingested"
111type = "query"
112
113query = '''
114event.dataset: "aws.cloudtrail"
115 and event.provider: "ec2.amazonaws.com"
116 and event.action: "DescribeImages"
117 and event.outcome: "success"
118 and aws.cloudtrail.flattened.request_parameters.includeDeprecated: "true"
119 and aws.cloudtrail.request_parameters: *owner=*
120'''
121
122
123[[rule.threat]]
124framework = "MITRE ATT&CK"
125[[rule.threat.technique]]
126id = "T1580"
127name = "Cloud Infrastructure Discovery"
128reference = "https://attack.mitre.org/techniques/T1580/"
129
130
131[rule.threat.tactic]
132id = "TA0007"
133name = "Discovery"
134reference = "https://attack.mitre.org/tactics/TA0007/"
135
136[rule.investigation_fields]
137field_names = [
138 "aws.cloudtrail.user_identity.arn",
139 "aws.cloudtrail.user_identity.type",
140 "aws.cloudtrail.user_identity.access_key_id",
141 "source.ip",
142 "cloud.account.id",
143 "cloud.region",
144 "user_agent.original",
145 "event.action",
146]
Triage and analysis
Investigating AWS EC2 Deprecated AMI Discovery
This rule detects when a user queries AWS for deprecated Amazon Machine Images (AMIs). While deprecated AMIs are not inherently malicious, their use can introduce vulnerabilities or misconfigurations. Adversaries may exploit deprecated AMIs in search of outdated or unpatched systems. Investigating these queries can help identify potential risks or misconfigurations.
Possible Investigation Steps
-
Identify the User Performing the Query:
- Review the
aws.cloudtrail.user_identity.arn
field to determine the AWS user or role making the request. - Check
aws.cloudtrail.user_identity.type
andaws.cloudtrail.user_identity.access_key_id
to verify the type of access (e.g., IAM user, role, or federated identity). - Investigate the
related.user
field for additional user context.
- Review the
-
Analyze the Source of the Request:
- Review the
source.ip
field to determine the IP address of the source making the request. - Check
source.geo
for the geographic location of the IP address. - Analyze the
user_agent.original
field to determine the client or tool used (e.g., AWS CLI, SDK).
- Review the
-
Review the Request Details:
- Inspect the
aws.cloudtrail.flattened.request_parameters
field for query parameters, such asincludeDeprecated=true
. - Confirm that the request explicitly includes deprecated AMIs (
includeDeprecated=true
) and is tied to specific owners via theownersSet
field. - Verify the
event.action
isDescribeImages
and theevent.outcome
issuccess
.
- Inspect the
-
Validate the Query Context:
- Determine if the request is part of legitimate activity, such as:
- Security assessments or vulnerability scans.
- Maintenance or testing of legacy systems.
- Check if the query aligns with recent changes in the AWS environment, such as new configurations or services.
- Determine if the request is part of legitimate activity, such as:
-
Correlate with Other Events:
- Investigate additional AWS API calls from the same user or IP address for signs of reconnaissance or exploitation.
- Review logs for related actions, such as launching instances from deprecated AMIs (
RunInstances
API call).
-
Assess Security Risks:
- Evaluate the use of deprecated AMIs within your environment and their associated vulnerabilities.
- Ensure that deprecated AMIs are not being used in production environments or systems exposed to external threats.
False Positive Analysis
- Legitimate Use: Users may query for deprecated AMIs for testing or compatibility purposes.
- Automated Tools: Security or compliance tools might query deprecated AMIs as part of regular assessments.
- Misconfigured Services: Legacy systems may rely on deprecated AMIs for compatibility, leading to legitimate queries.
Response and Remediation
-
Immediate Actions:
- Verify the intent of the user querying for deprecated AMIs.
- Restrict IAM permissions to prevent unauthorized access to deprecated AMIs.
-
Mitigation Steps:
- Identify and replace deprecated AMIs in use with supported and updated AMIs.
- Update AWS IAM policies to minimize permissions for querying or using deprecated AMIs.
-
Enhance Monitoring:
- Enable alerts for future queries involving deprecated AMIs or other unusual API activity.
- Monitor CloudTrail logs for additional reconnaissance or suspicious behavior.
-
Security Audits:
- Conduct a review of all AMIs in use across your environment to identify outdated or deprecated images.
- Remove any deprecated AMIs from production environments and restrict their usage to isolated testing.
-
Add Rule Exceptions:
- Create exceptions for legitimate use cases or automated tools that query for deprecated AMIs.
- Document and communicate the exceptions to relevant teams to avoid future alerts.
Additional Resources
References
Related rules
- AWS Discovery API Calls via CLI from a Single Resource
- AWS EC2 Multi-Region DescribeInstances API Calls
- AWS EC2 EBS Snapshot Shared or Made Public
- AWS Service Quotas Multi-Region `GetServiceQuota` Requests
- EC2 AMI Shared with Another Account