Query Details

AWS Cloud Trail AWS AMI Publicly Exposed

Query

// https://github.com/FalconForceTeam/FalconFriday/blob/master/Collection/0xFF-0236-Resource_Shared_with_Unknown_External_Account-AWS.md
AWSCloudTrail
| where EventName == "ModifyImageAttribute"
| mv-expand Item = todynamic(RequestParameters)["launchPermission"]["add"]["items"]
| where Item["userId"] contains "*" or Item["group"] has "all"
| invoke AWSIdentityRole()
| project
    TimeGenerated,
    UserIdentityType,
    Identity,
    ActorRole,
    UserIdentityAccountId,
    UserIdentityAccountName,
    RecipientAccountId,
    RecipientAccountName,
    AWSRegion,
    SessionCreationDate,
    UserIdentityPrincipalid,
    UserIdentityArn,
    SourceIpAddress,
    EventSource,
    EventTypeName,
    EventName,
    ManagementEvent,
    ReadOnly,
    ErrorCode,
    ErrorMessage,
    RequestParameters,
    ResponseElements,
    Resources,
    SessionMfaAuthenticated,
    UserAgent,
    AwsEventId

Explanation

This KQL (Kusto Query Language) query is designed to analyze AWS CloudTrail logs to identify specific events related to modifying image attributes. Here's a simplified breakdown of what the query does:

  1. Data Source: It starts by accessing the AWSCloudTrail logs, which contain records of actions taken in an AWS account.

  2. Filter by Event: It filters the logs to only include events where the EventName is "ModifyImageAttribute". This event occurs when someone changes the attributes of an Amazon Machine Image (AMI).

  3. Expand Launch Permissions: The query uses mv-expand to break down the RequestParameters related to launchPermission changes, specifically looking at the add items. This is to examine who has been granted permission to launch the AMI.

  4. Identify Public Sharing: It further filters these permissions to find cases where the userId contains a wildcard "*" or the group includes "all". This indicates that the AMI has been shared publicly or with all AWS accounts.

  5. Invoke Role Information: The invoke AWSIdentityRole() function is used to gather additional identity and role information about the user who performed the action.

  6. Select Relevant Information: Finally, it selects and projects a variety of fields to provide detailed information about the event, including:

    • TimeGenerated: When the event was logged.
    • UserIdentityType, Identity, ActorRole: Information about the user who made the change.
    • UserIdentityAccountId, UserIdentityAccountName: The account details of the user.
    • RecipientAccountId, RecipientAccountName: The account that received the permissions.
    • AWSRegion: The AWS region where the event occurred.
    • SessionCreationDate: When the session was created.
    • UserIdentityPrincipalid, UserIdentityArn: Additional identity details.
    • SourceIpAddress: The IP address from which the request was made.
    • EventSource, EventTypeName, EventName: Details about the event type and source.
    • ManagementEvent, ReadOnly: Flags indicating the nature of the event.
    • ErrorCode, ErrorMessage: Any errors that occurred.
    • RequestParameters, ResponseElements, Resources: Details about the request and response.
    • SessionMfaAuthenticated: Whether multi-factor authentication was used.
    • UserAgent: The user agent string of the requester.
    • AwsEventId: The unique identifier for the event.

In summary, this query is used to detect and provide detailed information about instances where an AMI's launch permissions have been modified to allow access to unknown or potentially unauthorized external accounts.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: March 11, 2024

Tables

AWSCloudTrail

Keywords

AwscloudtrailEventnameRequestparametersItemUseridGroupAwsidentityroleTimegeneratedUseridentitytypeIdentityActorroleUseridentityaccountidUseridentityaccountnameRecipientaccountidRecipientaccountnameAwsregionSessioncreationdateUseridentityprincipalidUseridentityarnSourceipaddressEventsourceEventtypenameManagementeventReadonlyErrorcodeErrormessageResponseelementsResourcesSessionmfaauthenticatedUseragentAwseventid

Operators

AWSCloudTrail|where==mv-expandtodynamic()containsorhasinvokeproject

Actions

GitHub