|
Modify Cloud Resource Hierarchy: Invite Accounts to Unknown Organization
AWS Specific Sub-Technique
Other sub-techniques of Modify Cloud Resource Hierarchy (3)
| ID | Name |
|---|---|
| T1666.A001 | Create or Invite AWS Account |
| T1666.A003 | Invite Accounts to Unknown Organization |
| T1666.A002 | Leave AWS Organization |
AWS Specific Content
A prerequisite for this technique is that a threat actor has already gained control of an AWS identity with the permissions to perform the actions in the AWS CloudTrail Event Name(s) section.
With access to an AWS identity that has the appropriate permissions, threat actors may attempt to accept invitations from an account containing a threat actor controlled AWS Organization. Accepting the invitation from the compromised account will move that account to the threat actor controlled AWS Organization.
Detection
AWS Specific Content
You can use the Event history page in the AWS CloudTrail console to view the last 90 days of management events in an AWS Region for actions.
Mitigation
AWS Specific Content
Applying Multifactor Authentication (MFA) as a critical security layer helps mitigate risk of unintended access to users and roles.