AWS SNS Topic Created by Rare User

calendar Feb 20, 2025 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Data Source: AWS SNS Resources: Investigation Guide Use Case: Threat Detection Tactic: Resource Development  ·
Share on: linkedin copy

Identifies when an SNS topic is created by a user who does not typically perform this action. Adversaries may create SNS topics to stage capabilities for data exfiltration or other malicious activities.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2025/02/11"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/02/11"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies when an SNS topic is created by a user who does not typically perform this action. Adversaries may create SNS
 11topics to stage capabilities for data exfiltration or other malicious activities.
 12"""
 13false_positives = [
 14    """
 15    Legitimate users may create SNS topics for legitimate purposes. Ensure that the creation is authorized before taking
 16    action.
 17    """,
 18]
 19from = "now-9m"
 20index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 21language = "kuery"
 22license = "Elastic License v2"
 23name = "AWS SNS Topic Created by Rare User"
 24note = """## Triage and Analysis
 25
 26### Investigating AWS SNS Topic Created by Rare User
 27
 28This rule detects the creation of an AWS Simple Notification Service (SNS) topic by a user who does not typically perform this action. Adversaries may create SNS topics to facilitate data exfiltration or other malicious activities.
 29
 30This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that only flags when this behavior is observed for the first time on a host in the last 10 days.
 31
 32#### Possible Investigation Steps
 33
 34### 1. Identify the Actor and Context
 35- **User Identity and Role**:
 36  - Examine `aws.cloudtrail.user_identity.arn` to determine **who** created the SNS topic.
 37  - Identify whether the actor assumed a **privileged IAM role** (`aws.cloudtrail.user_identity.type: "AssumedRole"`).
 38- **User Agent and Tooling**:
 39  - Check `user_agent.name` to determine if this action was performed via the AWS CLI, SDK, or Console.
 40  - If `aws-cli` was used, review whether it aligns with typical automation or administrative behavior.
 41- **Source IP and Geographic Location**:
 42  - Review `source.ip` and `source.geo` fields to confirm if the request originated from a **trusted** or **unexpected** location.
 43
 44### 2. Evaluate the SNS Topic Creation
 45- **Topic Name and Purpose**:
 46  - Check `aws.cloudtrail.flattened.request_parameters.name` for the **SNS topic name** and determine whether it appears suspicious (e.g., random strings, unusual keywords).
 47- **Target Region and Account**:
 48  - Verify `cloud.region` and `cloud.account.id` to **ensure the SNS topic was created in an expected environment**.
 49- **Associated API Calls**:
 50  - Identify additional actions **before or after** this event using `event.action` values like:
 51    - `Subscribe`
 52    - `Publish`
 53    - `SetTopicAttributes`
 54  - These may indicate follow-up steps taken to misuse the SNS topic.
 55
 56### 3. Analyze Potential Malicious Intent
 57- **Is This an Isolated Action or a Pattern?**
 58  - Check if this **user has previously created SNS topics** using historical CloudTrail logs.
 59  - Look for **multiple topic creations in a short period**, which may suggest an automation script or malicious behavior.
 60- **Unusual Role Usage**:
 61  - If `aws.cloudtrail.user_identity.arn` references an **EC2 instance role**, verify whether that instance typically performs SNS operations.
 62- **Potential Data Exfiltration or Persistence**:
 63  - Review whether **new subscriptions** were added (`Subscribe` API action) to forward data externally.
 64  - If an SNS topic was configured to trigger **Lambda functions or S3 events**, it may indicate an attempt to persist in the environment.
 65
 66## False Positive Analysis
 67- **Legitimate Usage of SNS**:
 68  - SNS is commonly used for **event-driven notifications** in AWS.
 69  - Check whether the SNS topic creation aligns with known **DevOps, automation, or monitoring activities**.
 70- **Routine IAM Role Activity**:
 71  - If the user typically interacts with SNS, consider **allowlisting** expected IAM roles for this action.
 72- **AWS Services Creating Topics Automatically**:
 73  - Some AWS services may **auto-create SNS topics** for alerts and monitoring. Confirm whether the creation was system-generated.
 74
 75## Response and Remediation
 76- **Confirm Authorization**:
 77  - If the user was not expected to create SNS topics, verify whether their IAM permissions should be restricted.
 78- **Revoke Unauthorized Access**:
 79  - If unauthorized, disable the access keys or IAM role associated with the event.
 80- **Monitor for Further SNS Modifications**:
 81  - Set up additional monitoring for **SNS Publish or Subscription events** (`Publish`, `Subscribe`).
 82- **Enhance IAM Policy Controls**:
 83  - Consider enforcing **least privilege** IAM policies and enabling **multi-factor authentication (MFA)** where applicable.
 84- **Investigate for Persistence**:
 85  - Check whether the SNS topic is **being used as a notification channel for Lambda, S3, or other AWS services**.
 86"""
 87references = ["https://docs.aws.amazon.com/sns/latest/api/API_CreateTopic.html"]
 88risk_score = 21
 89rule_id = "3c3f65b8-e8b4-11ef-9511-f661ea17fbce"
 90severity = "low"
 91tags = [
 92    "Domain: Cloud",
 93    "Data Source: AWS",
 94    "Data Source: Amazon Web Services",
 95    "Data Source: AWS SNS",
 96    "Resources: Investigation Guide",
 97    "Use Case: Threat Detection",
 98    "Tactic: Resource Development",
 99]
100timestamp_override = "event.ingested"
101type = "new_terms"
102
103query = '''
104event.dataset: "aws.cloudtrail"
105    and event.provider: "sns.amazonaws.com"
106    and event.action: "CreateTopic"
107    and event.outcome: "success"
108    and aws.cloudtrail.user_identity.type: "AssumedRole"
109    and aws.cloudtrail.user_identity.arn: *i-*
110'''
111
112
113[[rule.threat]]
114framework = "MITRE ATT&CK"
115[[rule.threat.technique]]
116id = "T1608"
117name = "Stage Capabilities"
118reference = "https://attack.mitre.org/techniques/T1608/"
119
120
121[rule.threat.tactic]
122id = "TA0042"
123name = "Resource Development"
124reference = "https://attack.mitre.org/tactics/TA0042/"
125
126[rule.investigation_fields]
127field_names = [
128    "@timestamp",
129    "user.name",
130    "source.address",
131    "aws.cloudtrail.user_identity.arn",
132    "aws.cloudtrail.user_identity.type",
133    "user_agent.original",
134    "event.action",
135    "event.outcome",
136    "cloud.region",
137    "aws.cloudtrail.flattened.request_parameters.protocol",
138    "aws.cloudtrail.flattened.request_parameters.topicArn",
139    "aws.cloudtrail.request_parameters",
140]
141
142[rule.new_terms]
143field = "new_terms_fields"
144value = ["aws.cloudtrail.user_identity.arn"]
145[[rule.new_terms.history_window_start]]
146field = "history_window_start"
147value = "now-10d"

Triage and Analysis

Investigating AWS SNS Topic Created by Rare User

This rule detects the creation of an AWS Simple Notification Service (SNS) topic by a user who does not typically perform this action. Adversaries may create SNS topics to facilitate data exfiltration or other malicious activities.

This is a New Terms rule that only flags when this behavior is observed for the first time on a host in the last 10 days.

Possible Investigation Steps

1. Identify the Actor and Context

  • User Identity and Role:
    • Examine aws.cloudtrail.user_identity.arn to determine who created the SNS topic.
    • Identify whether the actor assumed a privileged IAM role (aws.cloudtrail.user_identity.type: "AssumedRole").
  • User Agent and Tooling:
    • Check user_agent.name to determine if this action was performed via the AWS CLI, SDK, or Console.
    • If aws-cli was used, review whether it aligns with typical automation or administrative behavior.
  • Source IP and Geographic Location:
    • Review source.ip and source.geo fields to confirm if the request originated from a trusted or unexpected location.

2. Evaluate the SNS Topic Creation

  • Topic Name and Purpose:
    • Check aws.cloudtrail.flattened.request_parameters.name for the SNS topic name and determine whether it appears suspicious (e.g., random strings, unusual keywords).
  • Target Region and Account:
    • Verify cloud.region and cloud.account.id to ensure the SNS topic was created in an expected environment.
  • Associated API Calls:
    • Identify additional actions before or after this event using event.action values like:
      • Subscribe
      • Publish
      • SetTopicAttributes
    • These may indicate follow-up steps taken to misuse the SNS topic.

3. Analyze Potential Malicious Intent

  • Is This an Isolated Action or a Pattern?
    • Check if this user has previously created SNS topics using historical CloudTrail logs.
    • Look for multiple topic creations in a short period, which may suggest an automation script or malicious behavior.
  • Unusual Role Usage:
    • If aws.cloudtrail.user_identity.arn references an EC2 instance role, verify whether that instance typically performs SNS operations.
  • Potential Data Exfiltration or Persistence:
    • Review whether new subscriptions were added (Subscribe API action) to forward data externally.
    • If an SNS topic was configured to trigger Lambda functions or S3 events, it may indicate an attempt to persist in the environment.

False Positive Analysis

  • Legitimate Usage of SNS:
    • SNS is commonly used for event-driven notifications in AWS.
    • Check whether the SNS topic creation aligns with known DevOps, automation, or monitoring activities.
  • Routine IAM Role Activity:
    • If the user typically interacts with SNS, consider allowlisting expected IAM roles for this action.
  • AWS Services Creating Topics Automatically:
    • Some AWS services may auto-create SNS topics for alerts and monitoring. Confirm whether the creation was system-generated.

Response and Remediation

  • Confirm Authorization:
    • If the user was not expected to create SNS topics, verify whether their IAM permissions should be restricted.
  • Revoke Unauthorized Access:
    • If unauthorized, disable the access keys or IAM role associated with the event.
  • Monitor for Further SNS Modifications:
    • Set up additional monitoring for SNS Publish or Subscription events (Publish, Subscribe).
  • Enhance IAM Policy Controls:
    • Consider enforcing least privilege IAM policies and enabling multi-factor authentication (MFA) where applicable.
  • Investigate for Persistence:
    • Check whether the SNS topic is being used as a notification channel for Lambda, S3, or other AWS services.

References

  • CreateTopic - Amazon Simple Notification Service

    Creates a topic to which notifications can be published. Users can create at most 100,000 standard topics (at most 1,000 FIFO topics). For more information, see Creating an Amazon SNS topic in the Amazon SNS Developer Guide . This action is idempotent, so if the requester already owns a topic with the specified name, that topic's ARN is returned without creating a new topic.


    Read More

Related rules

to-top