First Time AWS Cloudformation Stack Creation by User

Last updated 14 days ago on 2024-11-07

Created 4 years ago on 2020-07-25

About

This rule detects the first time a principal calls AWS Cloudwatch `CreateStack` or `CreateStackSet` API. Cloudformation is used to create a single collection of cloud resources called a stack, via a defined template file. An attacker with the appropriate privileges could leverage Cloudformation to create specific resources needed to further exploit the environment. This is a new terms rule that looks for the first instance of this behavior in the last 10 days for a role or IAM user within a particular account.

Tags

Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: CloudformationUse Case: Asset VisibilityTactic: Execution

Severity

medium

Risk Score

MITRE ATT&CK™

Execution (TA0002)(opens in a new tab or window)

False Positive Examples

Verify whether the user identity should be using the `CreateStack` or `CreateStackSet` APIs. If known behavior is causing false positives, it can be exempted from the rule. The "history_window_start" value can be modified to reflect the expected frequency of known activity within a particular environment.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: New Terms Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: filebeat-*logs-aws.cloudtrail-*
Related Integrations: aws(opens in a new tab or window)
Query

event.dataset:aws.cloudtrail and event.provider:cloudformation.amazonaws.com and
    event.action: (CreateStack or CreateStackSet) and event.outcome:success

Install detection rules in Elastic Security

Detect First Time AWS Cloudformation Stack Creation by User in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).