AWS Cloud Trail AWS AMI Publicly Exposed
Query
// https://github.com/FalconForceTeam/FalconFriday/blob/master/Collection/0xFF-0236-Resource_Shared_with_Unknown_External_Account-AWS.md
AWSCloudTrail
| where EventName == "ModifyImageAttribute"
| mv-expand Item = todynamic(RequestParameters)["launchPermission"]["add"]["items"]
| where Item["userId"] contains "*" or Item["group"] has "all"
| invoke AWSIdentityRole()
| project
TimeGenerated,
UserIdentityType,
Identity,
ActorRole,
UserIdentityAccountId,
UserIdentityAccountName,
RecipientAccountId,
RecipientAccountName,
AWSRegion,
SessionCreationDate,
UserIdentityPrincipalid,
UserIdentityArn,
SourceIpAddress,
EventSource,
EventTypeName,
EventName,
ManagementEvent,
ReadOnly,
ErrorCode,
ErrorMessage,
RequestParameters,
ResponseElements,
Resources,
SessionMfaAuthenticated,
UserAgent,
AwsEventIdExplanation
This KQL (Kusto Query Language) query is designed to analyze AWS CloudTrail logs to identify specific events related to modifying image attributes. Here's a simplified breakdown of what the query does:
-
Data Source: It starts by accessing the
AWSCloudTraillogs, which contain records of actions taken in an AWS account. -
Filter by Event: It filters the logs to only include events where the
EventNameis "ModifyImageAttribute". This event occurs when someone changes the attributes of an Amazon Machine Image (AMI). -
Expand Launch Permissions: The query uses
mv-expandto break down theRequestParametersrelated tolaunchPermissionchanges, specifically looking at theadditems. This is to examine who has been granted permission to launch the AMI. -
Identify Public Sharing: It further filters these permissions to find cases where the
userIdcontains a wildcard "*" or thegroupincludes "all". This indicates that the AMI has been shared publicly or with all AWS accounts. -
Invoke Role Information: The
invoke AWSIdentityRole()function is used to gather additional identity and role information about the user who performed the action. -
Select Relevant Information: Finally, it selects and projects a variety of fields to provide detailed information about the event, including:
TimeGenerated: When the event was logged.UserIdentityType,Identity,ActorRole: Information about the user who made the change.UserIdentityAccountId,UserIdentityAccountName: The account details of the user.RecipientAccountId,RecipientAccountName: The account that received the permissions.AWSRegion: The AWS region where the event occurred.SessionCreationDate: When the session was created.UserIdentityPrincipalid,UserIdentityArn: Additional identity details.SourceIpAddress: The IP address from which the request was made.EventSource,EventTypeName,EventName: Details about the event type and source.ManagementEvent,ReadOnly: Flags indicating the nature of the event.ErrorCode,ErrorMessage: Any errors that occurred.RequestParameters,ResponseElements,Resources: Details about the request and response.SessionMfaAuthenticated: Whether multi-factor authentication was used.UserAgent: The user agent string of the requester.AwsEventId: The unique identifier for the event.
In summary, this query is used to detect and provide detailed information about instances where an AMI's launch permissions have been modified to allow access to unknown or potentially unauthorized external accounts.
Details

Jose Sebastián Canós
Released: March 11, 2024
Tables
Keywords
Operators