|
Account Manipulation: AWS Support Case Closure
AWS Specific Sub-Technique
Other sub-techniques of Account Manipulation (6)
| ID | Name |
|---|---|
| T1098.A001 | AWS Support Case Closure |
| T1098.001 | Additional Cloud Credentials |
| T1098.003 | Additional Cloud Roles |
A prerequisite for this technique is that a threat actor has already gained access to AWS account credentials with permissions to view and modify AWS Support cases.
Threat actors can attempt to maintain persistence by closing AWS Support cases that may alert account owners to unintended activity. This technique can be particularly challenging when the Support case was automatically generated for security-related issues, such as potential inappropriate account access or unusual resource usage. By closing these cases, threat actors aim to prevent detection and extend their unauthorized access.
Threat actors can attempt to maintain persistence by closing AWS Support cases that may alert account owners to unintended activity. This technique can be particularly challenging when the Support case was automatically generated for security-related issues, such as potential inappropriate account access or unusual resource usage. By closing these cases, threat actors aim to prevent detection and extend their unauthorized access.
Detection
When this technique is used, support case modifications will be logged in CloudTrail. You can use the Event history page in the AWS CloudTrail console to view the past 90 days of events related to AWS Support actions such as
A separate CloudTrail trail will provide an ongoing record of support case activities. Key events to monitor include case closure events, particularly those occurring shortly after case creation or outside normal business hours. You can create CloudWatch metric filters to detect patterns such as support cases being closed without customer communication or cases being closed by newly created IAM users.
Amazon GuardDuty may generate findings related to the initial account compromise or suspicious IAM activity preceding the support case closure. See a full list of IAM GuardDuty findings here.
support:ResolveCase.A separate CloudTrail trail will provide an ongoing record of support case activities. Key events to monitor include case closure events, particularly those occurring shortly after case creation or outside normal business hours. You can create CloudWatch metric filters to detect patterns such as support cases being closed without customer communication or cases being closed by newly created IAM users.
Amazon GuardDuty may generate findings related to the initial account compromise or suspicious IAM activity preceding the support case closure. See a full list of IAM GuardDuty findings here.
Mitigation
Restrict access to AWS Support Center by implementing strict IAM policies that limit support case management to authorized personnel and established IAM roles. Configure notifications for all support case updates to be sent to multiple trusted email addresses outside of the AWS account. For more information about managing AWS Support cases, see the Support AWS documentation.