AWS EC2 Security Group Configuration Change
Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in an AWS environment.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/05/05"
3integration = ["aws"]
4maturity = "production"
5updated_date = "2024/11/05"
6
7[rule]
8author = ["Elastic", "Austin Songer"]
9description = """
10Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying
11configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or
12pivot in an AWS environment.
13"""
14false_positives = [
15 """
16 A security group may be created by a system or network administrator. Verify whether the user identity, user agent,
17 and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or hosts
18 should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
19 """,
20]
21from = "now-9m"
22index = ["filebeat-*", "logs-aws.cloudtrail-*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "AWS EC2 Security Group Configuration Change"
26note = """
27### Investigating AWS EC2 Security Group Configuration Change
28
29This rule identifies any changes to an AWS Security Group, which functions as a virtual firewall controlling inbound and outbound traffic for resources like EC2 instances. Modifications to a security group configuration could expose critical assets to unauthorized access. Threat actors may exploit such changes to establish persistence, exfiltrate data, or pivot within an AWS environment.
30
31#### Possible Investigation Steps
32
331. **Identify the Modified Security Group**:
34 - **Security Group ID**: Check the `aws.cloudtrail.flattened.request_parameters.groupId` field to identify the specific security group affected.
35 - **Rule Changes**: Review `aws.cloudtrail.flattened.response_elements.securityGroupRuleSet` to determine the new rules or configurations, including any added or removed IP ranges, protocol changes, and port specifications.
36
372. **Review User Context**:
38 - **User Identity**: Inspect the `aws.cloudtrail.user_identity.arn` field to determine which user or role made the modification. Verify if this is an authorized administrator or a potentially compromised account.
39 - **Access Patterns**: Analyze whether this user regularly interacts with security group configurations or if this event is out of the ordinary for their account.
40
413. **Analyze the Configuration Change**:
42 - **Egress vs. Ingress**: Determine if the change affected inbound (ingress) or outbound (egress) traffic by reviewing fields like `isEgress` in the `securityGroupRuleSet`. Unauthorized changes to outbound traffic can indicate data exfiltration attempts.
43 - **IP Ranges and Ports**: Assess any added IP ranges, especially `0.0.0.0/0`, which exposes resources to the internet. Port changes should also be evaluated to ensure only necessary ports are open.
44
454. **Check User Agent and Source IP**:
46 - **User Agent Analysis**: Examine the `user_agent.original` field to identify the tool or application used, such as `AWS Console` or `Terraform`, which may reveal if the action was automated or manual.
47 - **Source IP and Geolocation**: Use `source.address` and `source.geo` fields to verify if the IP address and geolocation match expected locations for your organization. Unexpected IPs or regions may indicate unauthorized access.
48
495. **Evaluate for Persistence Indicators**:
50 - **Repeated Changes**: Investigate if similar changes were recently made across multiple security groups, which may suggest an attempt to maintain or expand access.
51 - **Permissions Review**: Confirm that the user’s IAM policies are configured to limit changes to security groups only as necessary.
52
536. **Correlate with Other CloudTrail Events**:
54 - **Cross-Reference Other Security Events**: Look for related actions like `AuthorizeSecurityGroupIngress`, `CreateSecurityGroup`, or `RevokeSecurityGroupIngress` that may indicate additional or preparatory steps for unauthorized access.
55 - **Monitor for IAM or Network Changes**: Check for IAM modifications, network interface changes, or other configuration updates in the same timeframe to detect broader malicious activities.
56
57### False Positive Analysis
58
59- **Routine Security Changes**: Security group modifications may be part of regular infrastructure maintenance. Verify if this action aligns with known, scheduled administrative activities.
60- **Automated Configuration Management**: If you are using automated tools like `Terraform` or `CloudFormation`, confirm if the change matches expected configuration drift corrections or deployments.
61
62### Response and Remediation
63
64- **Revert Unauthorized Changes**: If unauthorized, revert the security group configuration to its previous state to secure the environment.
65- **Restrict Security Group Permissions**: Remove permissions to modify security groups from any compromised or unnecessary accounts to limit future access.
66- **Quarantine Affected Resources**: If necessary, isolate any affected instances or resources to prevent further unauthorized activity.
67- **Audit IAM and Security Group Policies**: Regularly review permissions related to security groups to ensure least privilege access and prevent excessive access.
68
69### Additional Information
70
71For more details on managing AWS Security Groups and best practices, refer to the [AWS EC2 Security Groups Documentation](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-security-groups.html) and AWS security best practices.
72"""
73references = ["https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-security-groups.html"]
74risk_score = 21
75rule_id = "29052c19-ff3e-42fd-8363-7be14d7c5469"
76severity = "low"
77tags = [
78 "Domain: Cloud",
79 "Data Source: AWS",
80 "Data Source: Amazon Web Services",
81 "Data Source: AWS EC2",
82 "Use Case: Network Security Monitoring",
83 "Resources: Investigation Guide",
84 "Tactic: Persistence",
85 "Tactic: Defense Evasion"
86]
87timestamp_override = "event.ingested"
88type = "query"
89
90query = '''
91event.dataset: "aws.cloudtrail"
92 and event.provider: "ec2.amazonaws.com"
93 and event.action:(
94 "AuthorizeSecurityGroupEgress" or
95 "CreateSecurityGroup" or
96 "ModifyInstanceAttribute" or
97 "ModifySecurityGroupRules" or
98 "RevokeSecurityGroupEgress" or
99 "RevokeSecurityGroupIngress")
100 and event.outcome: "success"
101'''
102
103
104[[rule.threat]]
105framework = "MITRE ATT&CK"
106
107[rule.threat.tactic]
108id = "TA0003"
109name = "Persistence"
110reference = "https://attack.mitre.org/tactics/TA0003/"
111[[rule.threat]]
112framework = "MITRE ATT&CK"
113[[rule.threat.technique]]
114id = "T1562"
115name = "Impair Defenses"
116reference = "https://attack.mitre.org/techniques/T1562/"
117[[rule.threat.technique.subtechnique]]
118id = "T1562.007"
119name = "Disable or Modify Cloud Firewall"
120reference = "https://attack.mitre.org/techniques/T1562/007/"
121
122
123
124[rule.threat.tactic]
125id = "TA0005"
126name = "Defense Evasion"
127reference = "https://attack.mitre.org/tactics/TA0005/"
Investigating AWS EC2 Security Group Configuration Change
This rule identifies any changes to an AWS Security Group, which functions as a virtual firewall controlling inbound and outbound traffic for resources like EC2 instances. Modifications to a security group configuration could expose critical assets to unauthorized access. Threat actors may exploit such changes to establish persistence, exfiltrate data, or pivot within an AWS environment.
Possible Investigation Steps
-
Identify the Modified Security Group:
- Security Group ID: Check the
aws.cloudtrail.flattened.request_parameters.groupId
field to identify the specific security group affected. - Rule Changes: Review
aws.cloudtrail.flattened.response_elements.securityGroupRuleSet
to determine the new rules or configurations, including any added or removed IP ranges, protocol changes, and port specifications.
- Security Group ID: Check the
-
Review User Context:
- User Identity: Inspect the
aws.cloudtrail.user_identity.arn
field to determine which user or role made the modification. Verify if this is an authorized administrator or a potentially compromised account. - Access Patterns: Analyze whether this user regularly interacts with security group configurations or if this event is out of the ordinary for their account.
- User Identity: Inspect the
-
Analyze the Configuration Change:
- Egress vs. Ingress: Determine if the change affected inbound (ingress) or outbound (egress) traffic by reviewing fields like
isEgress
in thesecurityGroupRuleSet
. Unauthorized changes to outbound traffic can indicate data exfiltration attempts. - IP Ranges and Ports: Assess any added IP ranges, especially
0.0.0.0/0
, which exposes resources to the internet. Port changes should also be evaluated to ensure only necessary ports are open.
- Egress vs. Ingress: Determine if the change affected inbound (ingress) or outbound (egress) traffic by reviewing fields like
-
Check User Agent and Source IP:
- User Agent Analysis: Examine the
user_agent.original
field to identify the tool or application used, such asAWS Console
orTerraform
, which may reveal if the action was automated or manual. - Source IP and Geolocation: Use
source.address
andsource.geo
fields to verify if the IP address and geolocation match expected locations for your organization. Unexpected IPs or regions may indicate unauthorized access.
- User Agent Analysis: Examine the
-
Evaluate for Persistence Indicators:
- Repeated Changes: Investigate if similar changes were recently made across multiple security groups, which may suggest an attempt to maintain or expand access.
- Permissions Review: Confirm that the user’s IAM policies are configured to limit changes to security groups only as necessary.
-
Correlate with Other CloudTrail Events:
- Cross-Reference Other Security Events: Look for related actions like
AuthorizeSecurityGroupIngress
,CreateSecurityGroup
, orRevokeSecurityGroupIngress
that may indicate additional or preparatory steps for unauthorized access. - Monitor for IAM or Network Changes: Check for IAM modifications, network interface changes, or other configuration updates in the same timeframe to detect broader malicious activities.
- Cross-Reference Other Security Events: Look for related actions like
False Positive Analysis
- Routine Security Changes: Security group modifications may be part of regular infrastructure maintenance. Verify if this action aligns with known, scheduled administrative activities.
- Automated Configuration Management: If you are using automated tools like
Terraform
orCloudFormation
, confirm if the change matches expected configuration drift corrections or deployments.
Response and Remediation
- Revert Unauthorized Changes: If unauthorized, revert the security group configuration to its previous state to secure the environment.
- Restrict Security Group Permissions: Remove permissions to modify security groups from any compromised or unnecessary accounts to limit future access.
- Quarantine Affected Resources: If necessary, isolate any affected instances or resources to prevent further unauthorized activity.
- Audit IAM and Security Group Policies: Regularly review permissions related to security groups to ensure least privilege access and prevent excessive access.
Additional Information
For more details on managing AWS Security Groups and best practices, refer to the AWS EC2 Security Groups Documentation and AWS security best practices.
References
Related rules
- AWS RDS DB Instance Made Public
- AWS RDS DB Instance or Cluster Password Modified
- AWS EC2 Network Access Control List Creation
- AWS IAM Deactivation of MFA Device
- AWS IAM AdministratorAccess Policy Attached to Group