Profile Applicability:
- Level 1
Description:
AWS CloudTrail is a service that records API calls made on your AWS account, capturing detailed information about each API request. This includes the identity of the requester, the source IP address, the time of the request, and other details.
Enumeration threats refer to the risk where an attacker or unauthorized user may try to query or enumerate resources by making API calls to discover sensitive information about your environment. In CloudTrail, this could manifest as events that reveal sensitive resource names, IDs, or configurations that could be exploited for unauthorized access or further attacks.
This SOP ensures that CloudTrail is properly configured to detect and prevent potential enumeration threats by reviewing event logs, ensuring proper logging settings, and using least-privilege access to mitigate the risk of enumeration.
Rationale:
CloudTrail is essential for audit and compliance purposes, but it can also be a target for attackers looking to gather information about your AWS environment. To reduce the likelihood of a successful enumeration attack:
Limit CloudTrail access: Ensure that sensitive information isn’t easily accessible through CloudTrail logs.
Ensure least-privilege access: Limit who can query CloudTrail logs, preventing attackers from exploiting CloudTrail to enumerate resources.
Enable logging for critical events: Ensure that CloudTrail records are comprehensive, covering actions that could expose sensitive details.
Impact:
Pros:
Enhanced Security: Prevents unauthorized discovery of resources and configurations in your environment.
Reduced Risk: Mitigates the risk of attackers using CloudTrail logs for reconnaissance.
Compliance: Ensures that access to CloudTrail logs is limited, aligning with security best practices and compliance requirements (e.g., SOC 2, HIPAA, PCI-DSS).
Cons:
Increased Monitoring: Requires continuous monitoring of CloudTrail settings and access controls to prevent misuse.
Configuration Complexity: Ensuring proper access control policies and auditing configurations can require additional administrative effort.
Default Value:
By default, CloudTrail logs events but does not enforce strict access controls on querying CloudTrail logs, leaving the potential for sensitive resource enumeration. CloudTrail access and event logging configurations need to be actively managed to mitigate these risks.
Pre-requisite:
AWS IAM Permissions:
cloudtrail:DescribeTrails
cloudtrail:GetTrailStatus
cloudtrail:LookupEvents
iam:ListPolicies
AWS CLI installed and configured.
Understanding of CloudTrail configuration and IAM policies.
Remediation:
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to CloudTrail under Services.
In the CloudTrail Dashboard, review the trail configuration:
Ensure that CloudTrail is enabled in all regions.
Review the S3 bucket for logs and ensure that it is not publicly accessible or misconfigured to allow unnecessary access.
In the Event History section, search for any enumeration activities like resource listing (List*, Describe*, etc.) and ensure they are being properly logged and audited.
Check that IAM roles and users have appropriate access levels to query CloudTrail logs. Use the IAM console to verify that no unnecessary permissions are granted for CloudTrail event lookup.
Using AWS CLI:
To ensure CloudTrail is enabled in all regions, run:
aws cloudtrail describe-trails --query 'trailList[*].HomeRegion'
To check for any potential enumeration activities, query CloudTrail event history for actions related to resource listing or describing:
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=List*
Review the results for any events that may indicate enumeration activities. Specifically, look for actions like ListBuckets, DescribeInstances, DescribeVolumes, etc.
Ensure that access to query CloudTrail logs is properly restricted by running:
aws iam list-policies --query 'Policies[?PolicyName==`CloudTrailLogAccessPolicy`]'
Implementation Steps:
Using AWS Console:
Sign in to the AWS Management Console and navigate to CloudTrail.
Under Trails, ensure that a trail is enabled in all AWS regions.
Set CloudTrail logs to be stored in a private S3 bucket with strict access control (only authorized IAM roles should be allowed to access CloudTrail logs).
Review IAM roles and policies that grant permissions for querying CloudTrail logs, and remove excessive permissions. Ensure only necessary users and roles have cloudtrail:LookupEvents permission.
Disable or restrict access to CloudTrail logs to mitigate risks of resource enumeration. Review access logs periodically to ensure no misuse.
Using AWS CLI:
Ensure that CloudTrail is enabled for all regions by running the following command:
aws cloudtrail describe-trails --query 'trailList[*].HomeRegion'
To ensure access control is enforced, remove unnecessary permissions to cloudtrail:LookupEvents:
aws iam remove-user-policy --user-name <user-name> --policy-name <policy-name>
To query for potentially dangerous enumeration events, run:
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=List*
Adjust IAM roles and policies to limit CloudTrail event access to only necessary personnel:
aws iam put-role-policy --role-name <role-name> --policy-name <policy-name> --policy-document <policy-json>
Backout Plan:
If restricting CloudTrail access or logging of enumeration activities causes issues (e.g., preventing legitimate access or troubleshooting):
Revert any IAM policies that were modified to restrict access to CloudTrail logs.
Re-enable access for any IAM roles that need to view CloudTrail logs by modifying the IAM policy.
To remove restrictive policies, run:
aws iam delete-role-policy --role-name <role-name> --policy-name <policy-name>
Verify that CloudTrail logs are accessible by the necessary users.
Note:
Monitoring: Use CloudWatch Logs and CloudTrail to monitor access and activity logs for signs of unauthorized access or misuse of CloudTrail event data.
Automated Alerts: Set up automated alerts through AWS Config or CloudWatch to notify you if any sensitive resource listing actions (e.g., ListInstances, Describe*) are logged or if there are changes to CloudTrail log access policies.