|
Cloud Service Dashboard
An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports.
Depending on the configuration of the environment, an adversary may be able to enumerate more information via the graphical dashboard than an API. This allows the adversary to gain information without making any API requests.
AWS Specific Content
A prerequisite for this technique is that a threat actor has already compromised the login credentials and gained control of an AWS identity with a login profile configured. Alternatively, a threat actor with control over long-term credentials can also generate a URL for access to the AWS Management Console for an IAM user without a login profile configured
A Cloud Service Dashboard is a GUI that provides access to cloud services. In AWS, the Cloud Service Dashboard is the AWS Management Console. Using a compromised AWS identity, threat actors can access the identitys AWS account using the AWS Management Console which provides a threat actor with a more intuitive way of navigating the AWS account and a more efficient way to view and interact with resources than with the AWS CLI. Note that the ability to view and access resources are still restricted to the permissions granted to the AWS identity that the threat actor has control over.
In some cases, accessing the AWS Management Console will be the Initial Access vector that the threat actor has used to attempt to gain access to the AWS account by obtaining the credentials for a root user, an IAM User, or an AWS IAM Identity Center user. Access to log in to the console is typically granted to an IAM user by creating a login profile and enabling console access, however, threat actors can also utilize scripts to create a URL for IAM users to log on to the AWS Management Console without a login profile. In this scenario, while it is still possible to log in to the AWS Management Console, the ability to view and edit resources in the AWS account is still bound by the permissions granted to the IAM or Identity Center user.
Detection
Monitor for newly constructed logon behavior across cloud service management consoles. In AWS environments, look for the ConsoleLogin sign-in event.AWS Specific Content
When this technique is used by the threat actor, actions taken by the threat actor using the credentials obtained will be logged in CloudTrail. You can use the Event history page in the AWS CloudTrail console to view the last 90 days of management events in an AWS Region for the events listed in the AWS CloudTrail Event Name(s) section, such as
signin:ConsoleLogin.A separate CloudTrail trail will give you an ongoing record of events in your AWS account past 90 days and can be configured to log events in multiple regions. You can also review events using the console as well as the AWS CLI.
It is also possible to create a CloudWatch metric filter to watch for when specific AWS API calls are used and perform notification actions if logged, and additionally configure CloudWatch to automatically perform an action in response to an alarm.
Amazon GuardDuty has detections in place for when multiple successful console logins for the same IAM user were observed around the same time in various geographical locations.
| ID | Data Source | Data Component | Description |
|---|---|---|---|
| DS0028 | Logon Session | Logon Session Creation | Monitor for newly constructed logon behavior across cloud service management consoles. In AWS environments, look for the ConsoleLogin sign-in event. |
Mitigation
Enforce the principle of least-privilege by limiting dashboard visibility to only the resources required. This may limit the discovery value of the dashboard in the event of a compromised account. In AWS environments, consider configuring Service Control Policies to restrict console access to only specific users.AWS Specific Content
The following security best practices will help to mitigate the compromise and unauthorized use of user credentials by threat actors.
You can make sure that principals are scoped with the least-privileged permissions necessary to perform duties, limiting the ability to perform unauthorized actions in an AWS account when not required. One possible method of applying the principle of least-privileged permissions is to use Service Control Policies to restrict the maximum available permissions for the IAM users and IAM roles within your AWS Organizations accounts (note - you should test SCPs in a development environment before deploying them in production).
You can also use IAM Access Analyzer to regularly review and verify access and manage permissions across your AWS environment, which will highlight AWS identities with excessive permissions and the actions performed by those identities.
| ID | Mitigation | Description |
|---|---|---|
| M1018 | User Account Management | Enforce the principle of least-privilege by limiting dashboard visibility to only the resources required. This may limit the discovery value of the dashboard in the event of a compromised account. In AWS environments, consider configuring Service Control Policies to restrict console access to only specific users. |