AWS Sensitive IAM Operations Performed via CloudShell

Identifies sensitive AWS IAM operations performed via AWS CloudShell based on the user agent string. CloudShell is a browser-based shell that provides command-line access to AWS resources directly from the AWS Management Console. While convenient for administrators, CloudShell access from compromised console sessions can enable attackers to perform privileged operations without installing tools or using programmatic credentials. This rule detects high-risk actions such as creating IAM users, access keys, roles, or attaching policies when initiated from CloudShell, which may indicate post-compromise credential harvesting or privilege escalation activity.

Rule type: query
Rule indices:

• logs-aws.cloudtrail-*

Rule Severity: medium
Risk Score: 47
Runs every:
Searches indices from: now-6m
Maximum alerts per execution: 100
References:

• https://docs.aws.amazon.com/cloudshell/latest/userguide/welcome.html
• https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
• https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a

Tags:

• Domain: Cloud
• Data Source: AWS
• Data Source: Amazon Web Services
• Data Source: AWS CloudTrail
• Data Source: AWS IAM
• Tactic: Persistence
• Tactic: Privilege Escalation
• Use Case: Threat Detection
• Resources: Investigation Guide

Version: 1
Rule authors:

• Elastic

Rule license: Elastic License v2

AWS CloudShell is a browser-based shell environment that provides instant command-line access to AWS resources without requiring local CLI installation or credential configuration. While this is convenient for legitimate administrators, it also provides adversaries with a powerful tool if they gain access to a compromised AWS console session. Attackers can use CloudShell to perform sensitive operations without leaving artifacts on their local systems.

This rule detects high-risk IAM operations performed via CloudShell, including credential creation, user management, and policy attachment. These actions are commonly seen in post-compromise scenarios where attackers establish persistence or escalate privileges.

• Identify the actor

  • Review aws.cloudtrail.user_identity.arn to determine which IAM principal performed the action.
  • Check source.ip and source.geo fields to verify the request origin matches expected administrator locations.
  • Investigate the console login event that established the CloudShell session.

• Analyze the specific action

  • Review event.action to understand exactly what operation was performed.
  • For CreateAccessKey or CreateUser, identify the target principal and assess whether this was authorized.
  • For policy attachments, review which policies were attached and to which entities.

• Review request and response details

  • Examine aws.cloudtrail.request_parameters for specifics like user names, policy ARNs, or role configurations.
  • Check aws.cloudtrail.response_elements for created resource identifiers.

• Correlate with surrounding activity

  • Search for preceding events such as ConsoleLogin from the same session or IP address.
  • Look for MFA bypass indicators or unusual login patterns before CloudShell usage.
  • Check for subsequent use of any created credentials or roles.

• Assess the broader context

  • Determine if this CloudShell usage pattern is typical for this user.
  • Review recent access patterns for the console session that initiated CloudShell.

• Routine administrative tasks using CloudShell are common in some organizations. Create baseline profiles for users who regularly use CloudShell.
• Infrastructure automation testing may involve CloudShell for quick validation. Verify with the user.

• If unauthorized, immediately terminate the console session and revoke any created credentials.
• Rotate credentials for any IAM users or roles that may have been compromised.
• Review and remove any unauthorized users, access keys, roles, or policy attachments.
• Consider restricting CloudShell access via SCPs or IAM policies for sensitive accounts.
• Implement session duration limits to reduce the window of opportunity for console session abuse.

• AWS IR Playbooks
• AWS Customer Playbook Framework

event.dataset: "aws.cloudtrail"
    and event.provider: "iam.amazonaws.com"
    and event.action: (
        "CreateAccessKey" or
        "CreateUser" or
        "AttachUserPolicy" or
        "CreateRole" or
        "AttachRolePolicy" or
        "CreateInstanceProfile" or
        "AddRoleToInstanceProfile"
    )
    and event.outcome: "success"
    and user_agent.original: *CloudShell*
		

Framework: MITRE ATT&CK

• Tactic:

  • Name: Persistence
  • Id: TA0003
  • Reference URL: https://attack.mitre.org/tactics/TA0003/

• Technique:

  • Name: Create Account
  • Id: T1136
  • Reference URL: https://attack.mitre.org/techniques/T1136/

• Sub Technique:

  • Name: Cloud Account
  • Id: T1136.003
  • Reference URL: https://attack.mitre.org/techniques/T1136/003/

Framework: MITRE ATT&CK

• Tactic:

  • Name: Privilege Escalation
  • Id: TA0004
  • Reference URL: https://attack.mitre.org/tactics/TA0004/

• Technique:

  • Name: Account Manipulation
  • Id: T1098
  • Reference URL: https://attack.mitre.org/techniques/T1098/

• Sub Technique:

  • Name: Additional Cloud Roles
  • Id: T1098.003
  • Reference URL: https://attack.mitre.org/techniques/T1098/003/