cloudwatch or cloudtrail for lambda passrole attack

Question

We have one aws user has passrole, lambda invoke and create inline policy, we suspect this user use lambda script to passrole and attach awsadminaccess policy to his account, how can we identify this? through cloudwatch or cloudtrail? if through cloudtrail, how would we know the lamda script he invoke is malicious and how to track role change for this IAM account giving date range? thanks

Answer

For sensitive questions, I'd reach out to AWS Support for help as well.

For AWS Management API calls including IAM Changes such as:
* AttachRolePolicy
* PutRolePolicy (Inline Policy on a Role) like you've seen:
More information about CloudTrail Logging: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-events-with-cloudtrail.html

In Cloudtrail, you can filter by dates and search by Events as well.  For checking the Lambda, you can check Invocation of the Lambda (Lambda being run as well).

There are some AWS Services that offer checks like that such as AWS Config: https://docs.aws.amazon.com/config/latest/developerguide/iam-policy-no-statements-with-admin-access.html, but you may want to evaluate the cost of those services as well.

For information about to do with suspected compromise, read here: https://aws.amazon.com/premiumsupport/knowledge-center/potential-account-compromise/.

Answer

Hi, I checked the cloudtrail, I define the time range, then i search event name: attachrolepolicy.

i want to further restricted by user or other criteria, how to do? it only allow me to search one criterial for example Event name

cloudwatch or cloudtrail for lambda passrole attack

관련 콘텐츠