Query Details
AWS Cloud Trail AWS IAM User Created
Query
let _AWSAccounts =
_GetWatchlist("AccountId-AuditAWSAccounts")
| project AccountId, AccountName, Auditors = Auditor, AlertSeverity = Severity, Notes
;
AWSCloudTrail
| where EventName has "CreateUser" and not(EventSource == "sso-directory.amazonaws.com")// and EventSource == "iam.amazonaws.com"
| extend CreatedUserName = tostring(todynamic(RequestParameters)["userName"])
| lookup kind=leftouter (
_AWSAccounts
| project-rename RecipientAccountName = AccountName
) on $left.RecipientAccountId == $right.AccountId
//| where Notes has "[CreateUser]" or isempty(RecipientAccountName)
| lookup kind=leftouter (
_AWSAccounts
| project UserIdentityAccountName = AccountName, AccountId
) on $left.UserIdentityAccountId == $right.AccountId
| extend AlertDescription = strcat(
'This rule detects the creation of a user in AWS accounts using means different than IAM Identity Center, which should be the one used for this task.\n\nIn the AWS account "',
iff(isnotempty(RecipientAccountName), RecipientAccountName, RecipientAccountId),
'" ',
case(
UserIdentityType == "Root", "the root user",
UserIdentityType == "AssumedRole", strcat('the user "', tostring(split(UserIdentityPrincipalid, ":")[1]), '", assuming the role "', tostring(split(UserIdentityArn, "/")[-2]), '",'),
UserIdentityType == "IAM", strcat('the IAM user "', UserIdentityUserName),
"an unknown user"
),
iff(isnotempty(ErrorCode) or isnotempty(ErrorMessage), " failed to create", " created"),
' a user called "',
CreatedUserName,
'"',
iff(not(SourceIpAddress has ".amazonaws.com"), strcat(", from the IP address ", SourceIpAddress), ""),
".\n"
)
| project
TimeGenerated,
UserIdentityType,
UserIdentityAccountName,
UserIdentityAccountId,
SessionCreationDate,
SessionIssuerUserName,
SessionIssuerPrincipalId,
SessionIssuerArn,
UserIdentityUserName,
UserIdentityPrincipalid,
UserIdentityArn,
UserIdentityAccessKeyId,
RecipientAccountName,
RecipientAccountId,
SourceIpAddress,
EventSource,
EventTypeName,
EventName,
ManagementEvent,
ReadOnly,
ErrorCode,
ErrorMessage,
CreatedUserName,
RequestParameters,
ResponseElements,
Resources,
SessionMfaAuthenticated,
UserAgent,
AwsEventId,
AlertSeverity,
AlertDescription,
Auditors
Explanation
This query is designed to monitor the creation of users in AWS accounts. It specifically looks for instances where a user is created through a method other than the IAM Identity Center, which is the recommended method.
The query first retrieves a list of AWS accounts from a watchlist, along with associated information such as the account name, auditor, alert severity, and any notes.
It then filters the AWS CloudTrail logs for events where a user is created, excluding those created through the "sso-directory.amazonaws.com" source. It also extracts the name of the created user from the request parameters.
The query then matches the AWS accounts from the watchlist with the recipient account ID and user identity account ID from the CloudTrail logs.
It then constructs an alert description that details the event, including the AWS account involved, the user who performed the action, whether the action was successful or not, the name of the created user, and the source IP address (if it's not from ".amazonaws.com").
Finally, it projects a range of information from the matched data, including the time the event was generated, user identity type, account names and IDs, session creation date, user identity username, recipient account name and ID, source IP address, event source and name, error code and message, created user name, request parameters, response elements, resources, session MFA authentication status, user agent, AWS event ID, alert severity and description, and auditors.
Details
Jose Sebastián Canós
Released: August 3, 2023
Tables
Keywords
Operators