First Time AWS Cloudformation Stack Creation by User
This rule detects the first time a principal calls AWS Cloudwatch CreateStack or CreateStackSet API. Cloudformation
is used to create a single collection of cloud resources called a stack, via a defined template file. An attacker with
the appropriate privileges could leverage Cloudformation to create specific resources needed to further exploit the
environment. This is a new terms rule that looks for the first instance of this behavior in the last 10 days for a role
or IAM user within a particular account.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/07/25"
3integration = ["aws"]
4maturity = "production"
5updated_date = "2024/11/07"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule detects the first time a principal calls AWS Cloudwatch `CreateStack` or `CreateStackSet` API. Cloudformation
11is used to create a single collection of cloud resources called a stack, via a defined template file. An attacker with
12the appropriate privileges could leverage Cloudformation to create specific resources needed to further exploit the
13environment. This is a new terms rule that looks for the first instance of this behavior in the last 10 days for a role
14or IAM user within a particular account.
15"""
16false_positives = [
17 """
18 Verify whether the user identity should be using the `CreateStack` or `CreateStackSet` APIs. If known behavior is
19 causing false positives, it can be exempted from the rule. The "history_window_start" value can be modified to
20 reflect the expected frequency of known activity within a particular environment.
21 """,
22]
23from = "now-6m"
24index = ["filebeat-*", "logs-aws.cloudtrail-*"]
25language = "kuery"
26license = "Elastic License v2"
27name = "First Time AWS Cloudformation Stack Creation by User"
28references = [
29 "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-cli-creating-stack.html/",
30 "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-concepts.html/",
31 "https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_CreateStack.html/",
32 "https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_CreateStackSet.html/",
33]
34risk_score = 47
35rule_id = "0415258b-a7b2-48a6-891a-3367cd9d4d31"
36severity = "medium"
37tags = [
38 "Domain: Cloud",
39 "Data Source: AWS",
40 "Data Source: Amazon Web Services",
41 "Data Source: Cloudformation",
42 "Use Case: Asset Visibility",
43 "Tactic: Execution",
44]
45timestamp_override = "event.ingested"
46type = "new_terms"
47
48query = '''
49event.dataset:aws.cloudtrail and event.provider:cloudformation.amazonaws.com and
50 event.action: (CreateStack or CreateStackSet) and event.outcome:success
51'''
52
53
54[[rule.threat]]
55framework = "MITRE ATT&CK"
56
57[rule.threat.tactic]
58id = "TA0002"
59name = "Execution"
60reference = "https://attack.mitre.org/tactics/TA0002/"
61
62[rule.new_terms]
63field = "new_terms_fields"
64value = ["cloud.account.id", "user.name"]
65[[rule.new_terms.history_window_start]]
66field = "history_window_start"
67value = "now-10d"
References
-
Examples of the command syntax to use when creating, updating, and deleting stacks with the AWS CLI and PowerShell.
Read More -
StackSets extends the capability of stacks by allowing you to create, update, or delete stacks across multiple AWS accounts and Regions with a single operation.
Read More
Related rules
- AWS SSM `SendCommand` Execution by Rare User
- AWS Lambda Layer Added to Existing Function
- AWS S3 Bucket Expiration Lifecycle Configuration Added
- AWS S3 Bucket Server Access Logging Disabled
- AWS RDS Snapshot Deleted