AWS_Key_Compromised
ID: 100129
Description:
An AWS access key ID was uploaded to a public github repo
Repository: Group: AWS Type: event
Default Status:
Enabled
| Tags: |
|---|
| AWS |
Selector:
Query:
Filters:
| Field | MUST hit |
|---|---|
| @cloudtrail.eventName | PutUserPolicy |
| @cloudtrail.requestParameters.policyName | AWSExposedCredentialPolicy |
| Field | MUST NOT hit |
|---|---|
Behavior Rule:
| Key | Type | Behavior Category |
|---|---|---|
| @cloudtrail.userIdentity.arn | username | security alert |
Risks:
| Risks | Base Score | Dimension |
|---|---|---|
| Timeline | 0 | - |
Attributes:
| Alias | Key |
|---|---|
| AccountID | @cloudtrail.recipientAccountId |
| Type | @cloudtrail.userIdentity.type |
| Region | @cloudtrail.awsRegion |
| ClientIP | @cloudtrail.sourceIPAddress |
| UserAgent | @cloudtrail.userAgent |
| Username | @cloudtrail.userIdentity.userName |
| KeyID | @cloudtrail.userIdentity.accessKeyId |
Correlation Rules:
First Occurrence:
| Name | Window | Fields |
|---|---|---|
| NewUser | 10 days | @cloudtrail.userIdentity.userName |
| Risks: | ML_NEW_USER |
History:
| User | Date | | :— | :— | | — | — |
This page was automatically created/formatted on Wed, 2022 May 4 21:43:53 EDT, from rule_dump.json (4d88bffdfb1cea26b3985f2193033606)