Profile Applicability:

  • Level 1

Description:

AWS CloudTrail is a service that records API calls made on your AWS account, capturing detailed information about each API request. This includes who made the request, from where it was made, and what action was performed.

Privilege escalation threats occur when an attacker or malicious user gains unauthorized access or escalates their privileges within AWS, allowing them to perform actions that should be restricted. In the context of CloudTrail, this could happen if misconfigured permissions or roles give users more privileges than necessary, or if actions in CloudTrail logs allow attackers to discover elevated privileges or sensitive configurations.

This SOP ensures that CloudTrail configurations are set up to prevent privilege escalation, including auditing and reviewing access controls, roles, and actions logged by CloudTrail to detect and mitigate potential privilege escalation vectors.

Rationale:

Privilege escalation threats in CloudTrail can allow attackers or unauthorized users to gain higher levels of access to the AWS environment. Ensuring that:

  • Proper Access Control: Only authorized users and roles can access CloudTrail logs.

  • Least-Privilege Principle: Users and roles are granted only the permissions they need to perform their job functions, reducing the risk of privilege escalation.

  • Monitoring and Logging: CloudTrail captures all relevant actions, especially those related to privilege modifications or role changes.

This SOP helps mitigate the risk of attackers using CloudTrail logs to escalate privileges by ensuring proper configuration and access restrictions.

Impact:

Pros:

  • Enhanced Security: Restricts unauthorized access to CloudTrail logs, preventing attackers from using them to escalate privileges.

  • Compliance: Meets regulatory requirements that require logging and auditing of administrative actions, such as SOC 2, HIPAA, and PCI-DSS.

  • Reduced Risk: Prevents unauthorized access to sensitive information that could be used for privilege escalation.

Cons:

  • Complex Configuration: Requires careful configuration of roles and permissions to ensure only authorized users have access to CloudTrail logs.

  • Monitoring Overhead: Continuously monitoring access to CloudTrail logs and reviewing permissions for privilege escalation threats adds administrative overhead.

Default Value:

By default, CloudTrail logs all events, but the permissions required to view, modify, or delete the logs may not be restricted, leading to the potential for privilege escalation if sensitive actions (e.g., modifying IAM roles or permissions) are performed.

Pre-requisite:

  • AWS IAM Permissions:

    • cloudtrail:DescribeTrails

    • cloudtrail:GetTrailStatus

    • cloudtrail:LookupEvents

    • iam:ListPolicies

    • iam:GetRolePolicy

    • iam:ListAttachedRolePolicies

  • AWS CLI installed and configured.

  • Basic knowledge of IAM roles, IAM policies, CloudTrail logs, and AWS security best practices.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to CloudTrail under Services.

  3. In the CloudTrail Dashboard, review the trail configuration:

    • Ensure that CloudTrail is enabled in all AWS regions.

    • Ensure that the logs are stored in a secure S3 bucket with proper access controls to prevent unauthorized access or modification.

  4. Go to CloudTrail Logs to review if there are any suspicious privilege escalation actions like:

    • Creation or modification of IAM roles or policies.

    • Privilege changes related to root account or high-level roles.

  5. Check IAM roles and policies to ensure least-privilege principles are followed. Ensure that only specific authorized roles and users have CloudTrail lookup permissions (e.g., cloudtrail:LookupEvents).

Using AWS CLI:

To check if CloudTrail is enabled for all regions, run:

aws cloudtrail describe-trails --query 'trailList[*].HomeRegion'

To inspect CloudTrail events for privilege escalation actions, run:

aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=AddRoleToInstanceProfile

  1.  Look for any events related to actions like:

    • CreatePolicy

    • AttachRolePolicy

    • AttachUserPolicy

    • PutRolePolicy

    • AddUserToGroup

  2. Review the events to ensure no unauthorized or suspicious actions are logged.

To check the permissions for CloudTrail access, run:

aws iam list-policies --query 'Policies[?PolicyName==`CloudTrailLogAccessPolicy`]'

  1.  Ensure that only the authorized roles/users have CloudTrail log access.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to CloudTrail.

  2. Go to Trails and ensure that CloudTrail is enabled for all regions.

  3. Check that S3 bucket permissions for CloudTrail logs are set to private, ensuring that unauthorized users or roles cannot access or modify the logs.

  4. Review IAM roles and policies to ensure only authorized personnel have permissions like cloudtrail:LookupEvents.

  5. If necessary, apply restrictive IAM policies to prevent unauthorized access to CloudTrail logs.

Using AWS CLI:

Ensure that CloudTrail is enabled in all regions by running:

aws cloudtrail describe-trails --query 'trailList[*].HomeRegion'

Review CloudTrail logs for privilege escalation events:

aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=AttachRolePolicy

  1. Check IAM roles and policies to ensure that the least privilege principle is followed and that only authorized roles have the ability to access or modify CloudTrail logs.

To restrict CloudTrail access to specific users/roles, update IAM policies:

aws iam put-role-policy --role-name <role-name> --policy-name CloudTrailLogAccessPolicy --policy-document '<policy-document-json>'

Backout Plan:

If restricting access to CloudTrail logs or changes to IAM roles/policies causes legitimate issues:

  1. Identify the affected CloudTrail log or IAM role.

  2. Revert the changes to the IAM policies or CloudTrail configuration.

  3. If needed, re-enable access to CloudTrail logs for authorized users by modifying the IAM policies or removing overly restrictive policies.

Note (Optional):

  • CloudTrail Event Monitoring: Continuously monitor CloudTrail logs using CloudWatch to detect any unauthorized changes to roles, permissions, or other security-sensitive actions.

  • MFA Enforcement: Enforce MFA for high-privilege actions, such as modifying IAM policies or deleting CloudTrail logs, to add an additional layer of security.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.