IR-004cloudv1.0.0

AWS Unauthorized Access via CloudTrail Anomaly

⚠️ high⚠️ critical

⏱ Est. Time40m

📋 Steps10 steps

🔧 Tools5 required

🔗 Integrations5 platforms

📊 Avg Resolution75m

★ View on GitHub

🎯 MITRE ATT&CK

T1078.004 T1530 T1552.005 T1537 T1098.001 T1619 T1580

🔧 Tools Required

aws cloudtrailaws guarddutyaws iamsiemthreat intelligence platform

⚡ Triggers

guardduty_findingcloudtrail_anomaly_alertsiem_aws_unauthorized_apiiam_credential_report_anomalyaws_security_hub_finding

🔌 Integrations

req

aws guardduty

Primary detection source for AWS threat detection

req

aws cloudtrail

Full API audit trail — essential for investigation

opt

aws security hub

Aggregated security findings across AWS accounts

opt

splunk

CloudTrail log ingestion and SIEM correlation

opt

datadog

Alternative cloud monitoring — CloudTrail integration

Click each step to expand the full procedure, automation hints, and expected outputs.

Identify which IAM entity (user, role, or service account) is performing the unauthorized actions. Review the GuardDuty finding or SIEM alert for the principal ARN. Determine credential type: long-term access key, temporary STS token, or instance profile. Check if the principal is a human user or machine identity (CI/CD, Lambda, EC2 role).

⚡ Automation Hint

aws cloudtrail lookup-events --lookup-attributes AttributeKey=Username,AttributeValue=<principal> --start-time $(date -d "2 hours ago" --iso-8601=seconds) --max-results 50 AWS CLI: aws guardduty get-findings --detector-id <detector_id> --finding-ids <finding_id>

📤 Outputs

compromised_principal_arncredential_typeaccess_key_idsource_ipuser_agent