AWS CloudTrail Falco rules

Scroll Top AUTOSCALING 2rules CLOUDSHELL 1rules CLOUDTRAIL 7rules CLOUDWATCH 3rules CONFIG 19rules CONSOLE 2rules DMS 1rules EBS 1rules EC2 20rules ECR 1rules ECS 8rules ECS EXEC 3rules EFS 1rules ELASTICSEARCH 2rules ELB 5rules FARGATE 8rules GUARDDUTY 6rules IAM 31rules KMS 5rules LAMBDA 5rules RDS 13rules ROUTE53 3rules S3 12rules SAGEMAKER 1rules SECRETSMANAGER 1rules SECURITYHUB 9rules VPC 14rules WAF 2rules OTHER 1rules

Total 176 rules.

AUTOSCALING

Create Autoscaling Group without ELB Health Checks

Detect the creation of an autoscaling group associated with with a load balancer which is not using health checks.

cloud aws aws_autoscaling fsbp_aws_autoscaling.1
Update Autoscaling Group without ELB Health Checks

Detect the update of an autoscaling group associated with with a load balancer which is not using health checks.

cloud aws aws_autoscaling fsbp_aws_autoscaling.1

CLOUDSHELL

CloudShell Environment Created

Detect creation of a new Cloud Shell environment.

cloud aws aws_cloudshell

CLOUDTRAIL

CloudTrail Trail Created

Detect creation of a new trail.

cloud aws aws_cloudtrail mitre_TA0009-collection mitre_T1530-data-from-cloud-storage-object
CloudTrail Trail Deleted

Detect deletion of an existing trail.

cloud aws aws_cloudtrail mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
CloudTrail Logfile Encryption Disabled

Detect disabling the CloudTrail logfile encryption.

cloud aws aws_cloudtrail cis_aws_2.7 fsbp_aws_cloudtrail.2
CloudTrail Logfile Validation Disabled

Detect disabling the CloudTrail logfile validation.

cloud aws aws_cloudtrail cis_aws_2.2
CloudTrail Logging Disabled

The CloudTrail logging has been disabled, this could be potentially malicious.

cloud aws aws_cloudtrail mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
CloudTrail Multi-region Disabled

Detect disabling CloudTrail multi-region.

cloud aws aws_cloudtrail cis_aws_2.1 fsbp_aws_cloudtrail.1
CloudTrail Trail Updated

Detect update of an existing trail.

cloud aws aws_cloudtrail mitre_TA0009-collection mitre_TA0040-impact mitre_T1492-store-data-manipulation mitre_T1530-data-from-cloud-storage-object

CLOUDWATCH

CloudWatch Delete Alarms

Detect deletion of an alarm.

cloud aws aws_cloudwatch mitre_TA0005-defense-evasion mitre_T1066-indicator-removal-from-tools
CloudWatch Delete Log Group

Detect deletion of a CLoudWatch log group.

cloud aws aws_cloudwatch mitre_TA0040-impact mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools mitre_T1485-data-destruction
CloudWatch Delete Log Stream

Detect deletion of a CLoudWatch log stream.

cloud aws aws_cloudwatch mitre_TA0040-impact mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools mitre_T1485-data-destruction

CONFIG

Delete Config Rule

Detect deletion of a configuration rule.

cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Delete Configuration Aggregator

Detect deletion of the configuration aggregator.

cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Delete Configuration Recorder

Detect deletion of the configuration recorder.

cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Delete Conformance Pack

Detect deletion of a conformance pack.

cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Delete Delivery Channel

Detect deletion of the delivery channel.

cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Delete Organization Config Rule

Detect deletion of an organization config rule.

cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Delete Organization Conformance Pack

Detect deletion of an organization conformance pack.

cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Delete Remediation Configuration

Detect deletion of a remediation configuration.

cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Delete Retention Configuration

Detect deletion of the retention configuration with details about retention period (number of days) that AWS Config stores historical information.

cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Put Config Rule

Detect addition or update in an AWS Config rule.

cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Put Configuration Aggregator

Detect creation and update of the configuration aggregator with the selected source accounts and regions.

cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Put Conformance Pack

Detect creation or update of a conformance pack.

cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Put Delivery Channel

Detect creation of a delivery channel.

cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Put Organization Config Rule

Detect addition or update in an AWS Organization Config rule.

cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Put Organization Conformance Pack

Detect deployment of conformance packs across member accounts in an AWS Organization.

cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Put Remediation Configurations

Detect addition or update of the remediation configuration with a specific AWS Config rule with the selected target or action.

cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Put Remediation Exceptions

Detect addition of a new exception or updates an existing exception for a specific resource with a specific AWS Config rule.

cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Put Retention Configuration

Detect creation or update of the retention configuration with details about retention period (number of days) that AWS Config stores historical information.

cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Stop Configuration Recorder

Detect stoping the configuration recorder.

cloud aws aws_config cis_aws_2.5 fsbp_aws_config.1 mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools

CONSOLE

Console Login Without MFA

Detect a console login without MFA.

cloud aws aws_console cis_aws_3.2
Console Root Login Without MFA

Detect root console login without MFA.

cloud aws aws_console mitre_TA0040-impact mitre_T1531-account-access-removal

DMS

Create Public DMS Replication Instance

Detect creation of a public DMS replication instance.

cloud aws aws_dms fsbp_aws_dms.1

EBS

EBS Volume Creation without Encryption at Rest

Detect creation of an EBS volume without encryption at rest enabled.

cloud aws aws_ebs fsbp_aws_ec2.3

EC2

Allocate New Elastic IP Address to AWS Account

Detect that a public IP address has been allocated to the account.

cloud aws aws_ec2
Associate Elastic IP Address to AWS Network Interface

Detect that a public IP address has been associated with a network interface.

cloud aws aws_ec2
Authorize Security Group Egress

Detect addition of the specified egress rules to a security group.

cloud aws aws_ec2 mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
Authorize Security Group Ingress

Detect addition of the specified ingress rules to a security group.

cloud aws aws_ec2 mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
Create Snapshot

Detect creation of an EBS volume snapshot and stores it in Amazon S3.

cloud aws aws_ec2
Delete Subnet

Detect deletion of the specified subnet.

cloud aws aws_ec2 mitre_TA0040-impact mitre_T1485-data-destruction
Describe Instances

Detect description of the specified EC2 instances or all EC2 instances.

cloud aws aws_ec2
Disable EBS Encryption by Default

Detect disabling EBS encryption by default for an account in the current region.

cloud aws aws_ec2 mitre_TA0040-impact mitre_T1492-store-data-manipulation
Make EBS Snapshot Public

Detect making public an EBS snapshot.

cloud aws aws_ec2 fsbp_aws_ec2.1
EC2 Serial Console Access Enabled

Detect EC2 serial Console Acess enabled in the account for a specific region.

cloud aws aws_ec2
Get Password Data

Detect retrieval of the encrypted administrator password for a running Windows instance.

cloud aws aws_ec2 mitre_TA0003-persistence mitre_T1108-redundant-access
Modify Image Attribute

Detect modification of the specified attribute of the specified AMI.

cloud aws aws_ec2 mitre_TA0010-exfiltration
Modify Snapshot Attribute

Detect addition or removal of permission settings for the specified EC2 snapshot.

cloud aws aws_ec2 mitre_TA0010-exfiltration mitre_T1537-transfer-data-to-cloud-account
Replace Route

Detect replacing an existing route within a route table in a VPC.

cloud aws aws_ec2 mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
Revoke Security Group Egress

Detect removal of the specified egress rules from a security group.

cloud aws aws_ec2 mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
Revoke Security Group Ingress

Detect removal of the specified ingress rules from a security group.

cloud aws aws_ec2 mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
Run Instances

Detect launching of a specified number of instances.

cloud aws aws_ec2
Run Instances in Non-approved Region

Detect launching of a specified number of instances in a non-approved region.

cloud aws aws_ec2
Run Instances with Non-standard Image

Detect launching of a specified number of instances with a non-standard image.

cloud aws aws_ec2
Delete Cluster

Detect deletion of the specified cluster.

cloud aws aws_ec2 mitre_TA0040-impact mitre_T1485-data-destruction

ECR

ECR Image Pushed

Detect a new image has been pushed to an ECR registry

cloud aws aws_ecr

ECS

ECS Service Created

Detect a new service is created in ECS.

cloud aws aws_ecs aws_fargate
ECS Service Deleted

Detect a service is deleted in ECS.

cloud aws aws_ecs aws_fargate
Execute Command inside an ECS Container

Detect execution of a command inside an ECS container.

cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution
Execute Interactive Command inside an ECS Container

Detect execution of an interactive command inside an ECS container.

cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution mitre_T1059-command-and-scripting-interpreter
ECS Task Run or Started

Detect a new task is started in ECS.

cloud aws aws_ecs aws_fargate
ECS Task Stopped

Detect a task is stopped in ECS.

cloud aws aws_ecs aws_fargate
Terminal Shell in ECS Container

A terminal shell has been executed inside an ECS container.

cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution mitre_T1059-command-and-scripting-interpreter mitre_T1059.004-unix-shell
ECS Service Task Definition Updated

Detect a service task definition is updated in ECS.

cloud aws aws_ecs aws_fargate

ECS EXEC

Execute Command inside an ECS Container

Detect execution of a command inside an ECS container.

cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution
Execute Interactive Command inside an ECS Container

Detect execution of an interactive command inside an ECS container.

cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution mitre_T1059-command-and-scripting-interpreter
Terminal Shell in ECS Container

A terminal shell has been executed inside an ECS container.

cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution mitre_T1059-command-and-scripting-interpreter mitre_T1059.004-unix-shell

EFS

Create Unencrypted EFS

Detect creation of an unencrypted elastic file system.

cloud aws aws_efs

ELASTICSEARCH

Elasticsearch Domain Creation without Encryption at Rest

Detect creation of an Elasticsearch domain without encryption at rest enabled.

cloud aws aws_elasticsearch fsbp_aws_es.1
Elasticsearch Domain Creation without VPC

Detect creation of an Elasticsearch domain without a VPC.

cloud aws aws_elasticsearch

ELB

Create HTTP Target Group without SSL

Detect creation of HTTP target group not using SSL.

cloud aws aws_elb
Create Internet-facing AWS Public Facing Load Balancer

Detect creation of an AWS internet-facing load balancer.

cloud aws aws_elb
Create Internet-facing AWS Public Facing Load Balancer without Required Tags

Detect creation of an AWS internet-facing load balancer without the required tags.

cloud aws aws_elb
Delete Listener

Detect deletion of the specified listener.

cloud aws aws_elb mitre_TA0001-initial-access mitre_T1190-exploit-public-facing-application
Modify Listener

Detect replacing the specified properties of the specified listener.

cloud aws aws_elb mitre_TA0001-initial-access mitre_T1190-exploit-public-facing-application

FARGATE

ECS Service Created

Detect a new service is created in ECS.

cloud aws aws_ecs aws_fargate
ECS Service Deleted

Detect a service is deleted in ECS.

cloud aws aws_ecs aws_fargate
Execute Command inside an ECS Container

Detect execution of a command inside an ECS container.

cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution
Execute Interactive Command inside an ECS Container

Detect execution of an interactive command inside an ECS container.

cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution mitre_T1059-command-and-scripting-interpreter
ECS Task Run or Started

Detect a new task is started in ECS.

cloud aws aws_ecs aws_fargate
ECS Task Stopped

Detect a task is stopped in ECS.

cloud aws aws_ecs aws_fargate
Terminal Shell in ECS Container

A terminal shell has been executed inside an ECS container.

cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution mitre_T1059-command-and-scripting-interpreter mitre_T1059.004-unix-shell
ECS Service Task Definition Updated

Detect a service task definition is updated in ECS.

cloud aws aws_ecs aws_fargate

GUARDDUTY

Delete Detector

Detect deletion of an Amazon GuardDuty detector.

cloud aws aws_guardduty mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Guard Duty Delete Members

Detect deletion of GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs.

cloud aws aws_guardduty mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Disable GuardDuty

Detect disabling of GuardDuty.

cloud aws aws_guardduty fsbp_aws_guardduty.1
Guard Duty Disassociate from Master Account

Detect disassociation of the current GuardDuty member account from its administrator account.

cloud aws aws_guardduty mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Guard Duty Disassociate Members

Detect disassociation of GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs.

cloud aws aws_guardduty mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Stop Monitoring Members

Detect stopping GuardDuty monitoring for the specified member accounts.

cloud aws aws_guardduty mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools

IAM

Logged in without Using MFA

Detect user login without using MFA (multi-factor authentication).

cloud aws aws_iam
Password Recovery Requested

Detect AWS IAM password recovery requests.

cloud aws aws_iam mitre_TA0001-initial-access mitre_T1078-valid-accounts
Put Inline Policy in Group to Allow Access to All Resources

Detect putting an inline policy in a group that allows access to all resources.

cloud aws aws_iam
Create Access Key for Root User

Detect creation of an access key for root.

cloud aws aws_iam cis_aws_1.12 fsbp_aws_iam.4 mitre_TA0001-initial-access mitre_T1078-valid-accounts
Deactivate Hardware MFA for Root User

Detect deactivating hardware MFA configuration for root.

cloud aws aws_iam cis_aws_1.14 fsbp_aws_iam.6
Deactivate MFA for Root User

Detect deactivating MFA configuration for root.

cloud aws aws_iam cis_aws_1.13
Deactivate Virtual MFA for Root User

Detect deactivating virtual MFA configuration for root.

cloud aws aws_iam cis_aws_1.13
Delete Virtual MFA for Root User

Detect deleting MFA configuration for root.

cloud aws aws_iam cis_aws_1.13 pcs_dss_iam.5
Root User Executing AWS Command

Detect root user executing AWS command.

cloud aws aws_iam cis_aws_1.1
Add AWS User to Group

Detect adding an user to a group.

cloud aws aws_iam
Attach Administrator Policy

Detect attaching an administrator policy to a user.

cloud aws aws_iam
Attach IAM Policy to User

Detect attaching an IAM policy to a user.

cloud aws aws_iam cis_aws_1.16 fsbp_aws_iam.2
Create Group

Detect creation of a new user group.

cloud aws aws_iam mitre_TA0003-persistence mitre_T1108-redundant-access
Create Security Group Rule Allowing SSH Ingress

Detect creation of security group rule allowing SSH ingress.

cloud aws aws_iam
Create Security Group Rule Allowing Ingress Open to the World

Detect creation of security group rule allowing ingress open to the world.

cloud aws aws_iam
Create AWS user

Detect creation of a new AWS user.

cloud aws aws_iam mitre_TA0003-persistence mitre_T1136-create-account
Create IAM Policy that Allows All

Detect creation of IAM policy that allows all.

cloud aws aws_iam cis_aws_1.22 fsbp_aws_iam.1
Deactivate MFA for User Access

Detect deactivating MFA configuration for user access.

cloud aws aws_iam cis_aws_1.2 fsbp_aws_iam.5
Delete Group

Detect deletion of a user group.

cloud aws aws_iam mitre_TA0040-impact mitre_T1531-account-access-removal
Put IAM Inline Policy to User

Detect putting an IAM inline policy to an user.

cloud aws aws_iam cis_aws_1.16 fsbp_aws_iam.2
Update Account Password Policy Not Expiring

Detect updating password policy not expiring at all.

cloud aws aws_iam cis_aws_1.11 fsbp_aws_iam.7
Update Account Password Policy Expiring in More Than 90 Days

Detect updating password policy expiring in more than 90 days.

cloud aws aws_iam cis_aws_1.11 fsbp_aws_iam.7
Update Account Password Policy Not Preventing Reuse of Last 24 Passwords

Detect updating password policy not preventing reuse of the last 24 passwords.

cloud aws aws_iam cis_aws_1.10 fsbp_aws_iam.7
Update Account Password Policy Not Preventing Reuse of Last 4 Passwords

Detect updating password policy not preventing reuse of the last 4 passwords.

cloud aws aws_iam
Update Account Password Policy Not Requiring 14 Characters

Detect updating password policy not requiring a minimum length of 14 characters.

cloud aws aws_iam cis_aws_1.9 fsbp_aws_iam.7
Update Account Password Policy Not Requiring 7 Characters

Detect updating password policy not requiring a minimum length of 7 characters.

cloud aws aws_iam
Update Account Password Policy Not Requiring Lowercase

Detect updating password policy not requiring the use of an lowercase letter

cloud aws aws_iam cis_aws_1.6 fsbp_aws_iam.7
Update Account Password Policy Not Requiring Number

Detect updating password policy not requiring the use of a number

cloud aws aws_iam cis_aws_1.8 fsbp_aws_iam.7
Update Account Password Policy Not Requiring Symbol

Detect updating password policy not requiring the use of a symbol

cloud aws aws_iam cis_aws_1.7 fsbp_aws_iam.7
Update Account Password Policy Not Requiring Uppercase

Detect updating password policy not requiring the use of an uppercase letter

cloud aws aws_iam cis_aws_1.5 fsbp_aws_iam.7
Update Assume Role Policy

Detect modifying a role.

cloud aws aws_iam mitre_TA0006-credential-access mitre_T1110-brute-force

KMS

Create Customer Master Key

Detect creation of a new CMK (with rotation disabled).

cloud aws aws_kms
Disable CMK Rotation

Detect disabling of a customer master key's rotation.

cloud aws aws_kms
Disable Key

Detect disabling a customer master key (CMK), thereby preventing its use for cryptographic operations.

cloud aws aws_kms
Remove KMS Key Rotation

Detect removal of KMS key rotation.

cloud aws aws_kms
Schedule Key Deletion

Detect scheduling of the deletion of a customer master key.

cloud aws aws_kms

LAMBDA

Create Lambda Function

Detect creation of a Lambda function.

cloud aws aws_lambda mitre_TA0003-persistence
Create Lambda Function Not Using Latest Runtime

Detect creation of a Lambda function using and old or deprecated runtime.

cloud aws aws_lambda fsbp_aws_lambda.2 mitre_T1190-exploit-public-facing-application
Dissociate Lambda Function from VPC

Detect dissociation of a Lambda function from a VPC.

cloud aws aws_lambda
Update Lambda Function Code

Detect updates to a Lambda function code.

cloud aws aws_lambda mitre_TA0003-persistence mitre_T1496-resource-hijacking
Update Lambda Function Configuration

Detect updates to a Lambda function configuration.

cloud aws aws_lambda mitre_TA0003-persistence mitre_T1496-resource-hijacking

RDS

Authorize DB Security Group Ingress

Detect enabling ingress to a DBSecurityGroup using one of two forms of authorization.

cloud aws aws_rds
Create DB Cluster

Detect creation of a database cluster.

cloud aws aws_rds mitre_TA0003-persistence mitre_T1108-redundant-access
Create DB Security Group

Detect creation of a database security group.

cloud aws aws_rds
Create Global Cluster

Detect creation of a global cluster.

cloud aws aws_rds mitre_TA0003-persistence mitre_T1108-redundant-access
Delete DB Cluster

Detect deletion of a database cluster.

cloud aws aws_rds mitre_TA0040-impact mitre_T1485-data-destruction
Delete DB Security Group

Detect deletion of a database security group.

cloud aws aws_rds
Delete DB Snapshot

Detect deletion of a database snapshot.

cloud aws aws_rds mitre_TA0040-impact mitre_T1485-data-destruction
Make RDS DB Instance Public

Detect making public an RDS DB instance.

cloud aws aws_rds
Make RDS Snapshot Public

Detect making public an RDS snapshot.

cloud aws aws_rds
Modify RDS Snapshot Attribute

Detect modification of an RDS snapshot attribute.

cloud aws aws_rds mitre_TA0010-exfitration mitre_T1537-transfer-data-to-cloud-account
Revoke DB Security Group Ingress

Detect revocation ingress from a DBSecurityGroup for previously authorized IP ranges or EC2 or VPC Security Groups.

cloud aws aws_rds
Stop DB Cluster

Detect stopping of a database cluster.

cloud aws aws_rds mitre_TA0040-impact mitre_T1489-service-stop
Stop DB Instance

Detect stopping of a database instance.

cloud aws aws_rds mitre_TA0040-impact mitre_T1489-service-stop

ROUTE53

Associate VPC with Hosted Zone

Detect association of an Amazon VPC with a private hosted zone.

cloud aws aws_route53
Change Resource Record Sets

Detect creation, changes, or deletion of a resource record set.

cloud aws aws_route53
Register Domain

Detect registry of a new domain.

cloud aws aws_route53

S3

Delete Bucket CORS

Detect deletion of the cors configuration for a bucket.

cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-host
Delete Bucket Encryption

Detect deleting configuration to use encryption for bucket storage.

cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-host
Delete Bucket Lifecycle

Detect deletion of the lifecycle configuration from the specified bucket.

cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-host
Delete Bucket Policy

Detect deletion of the policy of a specified bucket.

cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-host
Delete Bucket Public Access Block

Detect deleting blocking public access to bucket.

cloud aws aws_s3
Delete Bucket Replication

Detect deletion of the replication configuration from the bucket.

cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-host
List Buckets

Detect listing of all S3 buckets.

cloud aws aws_s3 mitre_TA0007-discovery mitre_T1083-file-and-directory-discovery
Put Bucket ACL

Detect setting the permissions on an existing bucket using access control lists.

cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-host
Put Bucket CORS

Detect setting the cors configuration for a bucket.

cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-host
Put Bucket Lifecycle

Detect creation or modification of a lifecycle configuration for the bucket [DEPRECATED use `Put Bucket Lifecycle Configuration` instead].

cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-host
Put Bucket Policy

Detect applying an Amazon S3 bucket policy to an Amazon S3 bucket.

cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-host
Put Bucket Replication

Detect creation of a replication configuration or the replacement of an existing one..

cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-host

SAGEMAKER

Create SageMaker Notebook Instance with Direct Internet Access

Detect creation of a SageMaker notebook instance with direct internet access.

cloud aws aws_sagemaker

SECRETSMANAGER

Get Secret Value

Detect retrieval of the contents of the encrypted fields SecretString or SecretBinary from the specified version of a secret, whichever contains content.

cloud aws aws_secretsmanager mitre_TA0006-credential-access mitre_T1528-steal-application-access-token

SECURITYHUB

Batch Disable Standards

Detect disabling of the standards specified by the provided StandardsSubscriptionArns.

cloud aws aws_securityhub
Delete Action Target

Detect deletion of a custom action target from Security Hub.

cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Security Hub Delete Members

Detect deletion the specified member accounts from Security Hub.

cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Disable Security Hub

Detect disabling the Security Hub in the current region.

cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Disable Import Findings for Product

Detect disabling of the integration of the specified product with Security Hub.

cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Security Hub Disassociate From Master Account

Detect disassociation of the current Security Hub member account from the associated master account.

cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Security Hub Disassociate Members

Detect disassociation of the current Security Hub member account from the associated master account.

cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Update Action Target

Detect updating the name and description of a custom action target in Security Hub.

cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Update Standards Control

Detect enabling or disabling of a standard control.

cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools

VPC

Accept VPC Peering Connection

Detect accepting an VPC peering connection.

cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
Attach Internet Gateway

Detect attaching an internet gateway.

cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
Create a Network ACL

Detect creating a network ACL.

cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
Create a Network ACL Entry

Detect creating a network ACL entry.

cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
Create a Network ACL Entry Allowing Ingress Open to the World

Detect creation of access control list entry allowing ingress open to the world.

cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
Create VPC Route

Detect creating an VPC route.

cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
Create VPC Peering Connection

Detect creating an VPC peering connection.

cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
Create VPC with Default Security Group

Detect creation of a new VPC with default security group.

cloud aws aws_vpc cis_aws_4.3 fsbp_aws_ec2.2
Create VPC with No Flow Log

Detect creation of a new VPC with no flow log.

cloud aws aws_vpc cis_aws_2.9 fsbp_aws_2ec.6
Delete VPC Flow Log

Detect deleting VPC flow log.

cloud aws aws_vpc cis_aws_2.9 fsbp_aws_ec2.6 mitre_TA0005-defense-evasion mitre_T1066-indicator-removal-from-tools
Delete a Network ACL

Detect deleting a network ACL.

cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
Delete a Network ACL Entry

Detect deletion of a network ACL entry.

cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
Replace a Network ACL Association

Detect replacement of a network ACL association.

cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
Replace a Network ACL Entry

Detect replacement of a network ACL entry.

cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools

WAF

Delete WAF Rule Group

Detect deleting a WAF rule group.

cloud aws aws_waf mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Delete Web ACL

Detect deleting a web ACL.

cloud aws aws_waf mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools

OTHER

AWS Command Executed on Unused Region

Detect AWS command execution on unused regions.

cloud aws mitre_T1526-cloud-service-discovery mitre_T1535-unused-unsupported-cloud-regions

Please visit any of the following sections for more information: