Threat Technique Catalog for AWS

Disclaimer

At AWS, security is our top priority. Security and Compliance is a shared responsibility between AWS and the customer, this differentiation of responsibility is commonly referred to as Security "of" the Cloud (AWS responsibility) versus Security "in" the Cloud (Customer responsibility).

The tactics and techniques presented in this catalog have been observed during security events which have occurred as a result of common misconfigurations or compromised credentials on the customer side ("Security in the Cloud"). It does not indicate vulnerabilities or issues within AWS itself ("Security of the Cloud"). AWS does not claim that the catalog outlines every type of unauthorized action and behavior performed by threat actors within an AWS account or AWS Organization. Techniques represented in the Threat Technique Catalog for AWS where a specific principal performs actions on the control plane require that a threat actor has already gained control of an AWS identity with the permissions necessary to perform the technique.

Introduction

The Threat Technique Catalog for AWS describes techniques used by threat actors to take advantage of security misconfigurations or compromised credentials on the customer side ("Security in the Cloud") of the shared responsibility model.

The catalog is based off MITRE ATT&CK® and is used to identify and categorize threat actor behaviors observed by the AWS CIRT during security events they have investigated. The identification of the techniques used by threat actors during security events helps provide service metadata to AWS and its service teams on the motivations and methods used by threat actors to perform unauthorized actions. This metadata helps AWS influence its service roadmap to help make its services more secure. Theoretical techniques, and those identified by security researchers - while still important - are not in scope for the Threat Technique Catalog for AWS.

In most instances, we have tried to avoid creating a new technique or sub-technique where an existing MITRE technique would suffice. Where this is the case, we would only append or update the content with information on common event names that are logged in CloudTrail event history as a result of the technique being used; and in most cases, add more detail around methods for detection and options for mitigation. In other cases, we have made specific decisions to create new techniques or sub-techniques to allow us to capture data on the different methods that threat actors are utilizing as part of their unauthorized actions. The catalog will be a continual work-in-progress as techniques and sub-techniques are observed by the AWS CIRT during security events.

For additional resources related to incident response, the AWS Security Incident Response User Guide can be used to prepare you to respond to security incidents within AWS. The Playbook resources section can also help you create, develop, and integrate the content available here in the Threat Technique Catalog for AWS with tools and processes in your own environment.

Getting started

The catalog can be used to identify techniques that are relevant to the AWS services used by your organization, then referenced when you build and test appropriate security controls that are related to each identified technique. To begin, click on Matrix on the navigation bar on the left which will take you to the matrix. Techniques will be color coded into MITRE Techniques and AWS Techniques. MITRE Techniques are techniques represented in ATT&CK® and in some cases will have additional AWS specific and relevant content. This content is indicated by an orange label:

AWS CloudTrail Event Names

When applicable and relevant, techniques will also include AWS CloudTrail Event Names. These are the actions that are logged in CloudTrail when attempted or invoked and can also be used as an aid for threat hunting or searching for indicators during investigations. The event names use the format service:APIcall, for example, in the image below, s3:DeleteBucket translates to the Amazon S3 service and the DeleteBucketAPI call:

AWS Services

To review techniques according to AWS Service, click on the ‘+’ sign next to AWS Services in the navigation bar on the left:

For example, if you use Amazon S3 in your environment and want to review which techniques are relevant to the Amazon S3 service, you would look for ‘S3’ in the list of AWS Services. This would display all techniques within the Threat Technique Catalog for AWS that impact the S3 service:

Usage Notes

The catalog is not a complete listing of techniques we have observed, however, it strives to be a current listing of techniques with which we have the most available data
The usage of certain techniques requires the logging of data events to be configured in order for the use of the technique to be visible in CloudTrail, eg. s3:GetObject
There are techniques catalogued that are not strictly adversarial techniques, such as Overly Permissive VPC Security Groups. They are listed as part of the Threat Technique Catalog for AWS, as they represent possible misconfigurations that threat actors have taken advantage of, and the presence of these 'techniques' allows AWS to capture data on how often they are abused as part of a security event
Techniques and sub-techniques that involve Discovery or Reconnaissance, such as: Discovery → Cloud Storage Discovery → S3 Object and Bucket Enumeration may include mitigations that alter the usability of services in your organization. For example, to restrict the use of the Discovery → Cloud Storage Discovery → S3 Object and Bucket Deletion technique, IAM principals would need to have the s3:ListBuckets and s3:ListObjects permissions denied from their policies. There are cases where it makes sense to remove the ability to list objects and buckets in your AWS account, however, if this is not the case, the mitigation for this discovery technique should not be implemented

With some techniques, an event name is listed, but it may not be a prerequisite for the technique to have been utilized. For example, the Defense Evasion → Unused/Unsupported Cloud Regions technique means that the threat actor has used a region that is not typically used by the AWS account holder. In some cases, the region would have already been enabled, however, when a region needs to be enabled in an AWS account, the event name account:EnableRegion will be logged in CloudTrail for that action
With most techniques, the options for Detection and Mitigation are similar and include the same foundational steps. For example, with Detection, many mutable management events are captured in AWS CloudTrail, which means that as a starting action, looking for Event names related to a specific technique in CloudTrail can help point to unauthorized activity. With Mitigation, often times, an action can be mitigated through the restriction of related permissions. Additional detail for the Detection and MItigation sections in each technique is provided where possible.

License identification

This repository is licensed under the MIT-0 License.

Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.

Permission is hereby granted, free of charge, to any person obtaining a copy of this
software and associated documentation files (the "Software"), to deal in the Software
without restriction, including without limitation the rights to use, copy, modify,
merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Feedback

Please send feedback to: aws-cirt@amazon.com