First Time AWS Cloudformation Stack Creation by User

Last updated a month ago on 2024-11-07
Created 4 years ago on 2020-07-25

About

This rule detects the first time a principal calls AWS Cloudwatch `CreateStack` or `CreateStackSet` API. Cloudformation is used to create a single collection of cloud resources called a stack, via a defined template file. An attacker with the appropriate privileges could leverage Cloudformation to create specific resources needed to further exploit the environment. This is a new terms rule that looks for the first instance of this behavior in the last 10 days for a role or IAM user within a particular account.
Tags
Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: CloudformationUse Case: Asset VisibilityTactic: Execution
Severity
medium
Risk Score
47
MITRE ATT&CK™

Execution (TA0002)(opens in a new tab or window)

False Positive Examples
Verify whether the user identity should be using the `CreateStack` or `CreateStackSet` APIs. If known behavior is causing false positives, it can be exempted from the rule. The "history_window_start" value can be modified to reflect the expected frequency of known activity within a particular environment.
License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
New Terms Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
filebeat-*logs-aws.cloudtrail-*
Related Integrations

aws(opens in a new tab or window)

Query
event.dataset:aws.cloudtrail and event.provider:cloudformation.amazonaws.com and
    event.action: (CreateStack or CreateStackSet) and event.outcome:success

Install detection rules in Elastic Security

Detect First Time AWS Cloudformation Stack Creation by User in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).