First Time AWS Cloudformation Stack Creation by User

  1[metadata]
  2creation_date = "2020/07/25"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule detects the first time a principal calls AWS Cloudwatch `CreateStack` or `CreateStackSet` API. Cloudformation
 11is used to create a single collection of cloud resources called a stack, via a defined template file. An attacker with
 12the appropriate privileges could leverage Cloudformation to create specific resources needed to further exploit the
 13environment. This is a new terms rule that looks for the first instance of this behavior in the last 10 days for a role
 14or IAM user within a particular account.
 15"""
 16false_positives = [
 17    """
 18    Verify whether the user identity should be using the `CreateStack` or `CreateStackSet` APIs. If known behavior is
 19    causing false positives, it can be exempted from the rule. The "history_window_start" value can be modified to
 20    reflect the expected frequency of known activity within a particular environment.
 21    """,
 22]
 23from = "now-6m"
 24index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 25language = "kuery"
 26license = "Elastic License v2"
 27name = "First Time AWS Cloudformation Stack Creation by User"
 28references = [
 29    "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-cli-creating-stack.html/",
 30    "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-concepts.html/",
 31    "https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_CreateStack.html/",
 32    "https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_CreateStackSet.html/",
 33]
 34risk_score = 47
 35rule_id = "0415258b-a7b2-48a6-891a-3367cd9d4d31"
 36severity = "medium"
 37tags = [
 38    "Domain: Cloud",
 39    "Data Source: AWS",
 40    "Data Source: Amazon Web Services",
 41    "Data Source: Cloudformation",
 42    "Use Case: Asset Visibility",
 43    "Tactic: Execution",
 44    "Resources: Investigation Guide",
 45]
 46timestamp_override = "event.ingested"
 47type = "new_terms"
 48
 49query = '''
 50event.dataset:aws.cloudtrail and event.provider:cloudformation.amazonaws.com and
 51    event.action: (CreateStack or CreateStackSet) and event.outcome:success
 52'''
 53note = """## Triage and analysis
 54
 55> **Disclaimer**:
 56> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 57
 58### Investigating First Time AWS Cloudformation Stack Creation by User
 59
 60AWS CloudFormation automates the setup of cloud resources using templates, streamlining infrastructure management. Adversaries with access can exploit this to deploy malicious resources, escalating their control. The detection rule identifies unusual activity by flagging the initial use of stack creation APIs by a user, helping to spot potential unauthorized actions early.
 61
 62### Possible investigation steps
 63
 64- Review the CloudTrail logs for the specific event.dataset:aws.cloudtrail and event.provider:cloudformation.amazonaws.com to identify the user or role that initiated the CreateStack or CreateStackSet action.
 65- Verify the IAM permissions of the user or role involved in the event to ensure they have the appropriate level of access and determine if the action aligns with their typical responsibilities.
 66- Examine the stack template used in the CreateStack or CreateStackSet action to identify any unusual or unauthorized resources being provisioned.
 67- Check the event.outcome:success field to confirm the stack creation was successful and investigate any related resources that were deployed as part of the stack.
 68- Correlate the timing of the stack creation with other logs or alerts to identify any suspicious activity or patterns that might indicate malicious intent.
 69- Investigate the account's recent activity history to determine if there have been any other first-time or unusual actions by the same user or role.
 70
 71### False positive analysis
 72
 73- Routine infrastructure updates by authorized users may trigger the rule. To manage this, maintain a list of users or roles that regularly perform these updates and create exceptions for them.
 74- Automated deployment tools or scripts that use CloudFormation for legitimate purposes can cause false positives. Identify these tools and exclude their associated IAM roles or users from the rule.
 75- New team members or roles onboarding into cloud management tasks might be flagged. Implement a process to review and whitelist these users after verifying their activities.
 76- Scheduled or periodic stack creations for testing or development environments can be mistaken for suspicious activity. Document these schedules and exclude the relevant users or roles from the rule.
 77- Third-party services or integrations that require stack creation permissions could be misidentified. Ensure these services are documented and their actions are excluded from triggering the rule.
 78
 79### Response and remediation
 80
 81- Immediately isolate the IAM user or role that initiated the stack creation to prevent further unauthorized actions. This can be done by revoking permissions or disabling the account temporarily.
 82- Review the created stack and stack set for any unauthorized or suspicious resources. Identify and terminate any resources that are not part of the expected infrastructure.
 83- Conduct a thorough audit of recent IAM activity to identify any other unusual or unauthorized actions that may indicate further compromise.
 84- If malicious activity is confirmed, escalate the incident to the security operations team for a full investigation and potential involvement of incident response teams.
 85- Implement additional monitoring and alerting for the affected account to detect any further unauthorized attempts to use CloudFormation or other critical AWS services.
 86- Review and tighten IAM policies and permissions to ensure that only necessary privileges are granted, reducing the risk of exploitation by adversaries.
 87- Consider enabling AWS CloudTrail logging and AWS Config rules to maintain a detailed record of all API activity and configuration changes for ongoing monitoring and compliance."""
 88
 89
 90[[rule.threat]]
 91framework = "MITRE ATT&CK"
 92
 93[rule.threat.tactic]
 94id = "TA0002"
 95name = "Execution"
 96reference = "https://attack.mitre.org/tactics/TA0002/"
 97
 98[rule.new_terms]
 99field = "new_terms_fields"
100value = ["cloud.account.id", "user.name"]
101[[rule.new_terms.history_window_start]]
102field = "history_window_start"
103value = "now-10d"