Monitor Unintended AWS API Calls

Trend Micro Cloud One™ – Conformity Real-Time Threat Monitoring (RTM) engine detected unintended AWS API calls made in your Amazon Web Services account. An unintended AWS API call is a request that contains an "Action" parameter that indicates an operation not planned or meant to be performed within your AWS account. Detecting unintended API calls in real time can help you with risk mitigation. For example, if an inexperienced user is granted (accidentally or intentionally) unintended IAM API access and the user begins making API calls, his actions can lead to severe security issues, data leaks, data loss and/or unexpected charges on your AWS bill. Once enabled, the Real-Time Threat Monitoring (RTM) feature starts monitoring for unintended AWS API requests, in order to help you gain visibility into your AWS account API activity. RTM utilizes the logging information collected by AWS CloudTrail to process and send notifications about the unintended AWS API calls made within your account. The following is an example of an AWS CloudTrail log entry used by the Real-Time Threat Monitoring (RTM) engine engine to detect unintended API calls. The example shows how an IAM user named James has been using AWS CLI to perform an unintended API call (in this case a call to Amazon EC2 "StartInstances" action) by using the ec2-start-instances CLI command for an EC2 instance identified by the ID i-01234567abcabcabc:

{"Records": [{
  "eventVersion": "1.0",
  "userIdentity": {
      "type": "IAMUser",
      "principalId": "AABBCCDDAABBCCDDAABBC",
      "arn": "arn:aws:iam::123456789012:user/James",
      "accessKeyId": "AAAABBBBCCCCDDDDEEEE",
      "accountId": "123456789012",
      "userName": "James"
  },
  "eventTime": "2024-01-10T11:32:44Z",
  "eventSource": "ec2.amazonaws.com",
  "eventName": "StartInstances",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "192.0.0.0",
  "userAgent": "ec2-api-tools 1.6.0.2",
  "requestParameters": {"instancesSet": {"items": [{"instanceId": "i-01234567abcabcabc"}]}},
  "responseElements": {"instancesSet": {"items": [{
     "instanceId": "i-01234567abcabcabc",
      "currentState": {
          "code": 0,
          "name": "pending"
      },
      "previousState": {
          "code": 80,
          "name": "stopped"
      }
  }]}}
}]} 

The activity detected by Conformity Real-Time Threat Monitoring (RTM), based on AWS CloudTrail logging data, could be any AWS API request that triggers any of the predefined events defined within the conformity rule settings. Prior to running this rule by the RTM engine, the unintended AWS service events must be configured in the rule settings, on your Conformity account console. For example, imagine that your AWS production account has been locked down and therefore no changes to the IAM service are expected but an API call with the following parameters is made: Identity: IAM user, Service: Amazon IAM, Event: "CreateUser". Or when Amazon CloudTrail trails cannot be removed by any IAM users within your AWS account: Identity: IAM user, Service: CloudTrail, Event: "DeleteTrail". Another example could be, as shown in the table below, when your AWS account is completely locked down for auditing and no user action is expected: Identity: IAM user, Service: Amazon EC2, Event: "StartInstances":

Identity	Service	Event
^(IAM).*	^(ec2.amazonaws.com).*	StartInstances
^(IAM).*	^(cloudtrail.amazonaws.com).*	DeleteTrail
IAMUser	^(iam.amazonaws.com).*	^(Create).* ^(Delete).* ^(Update).* ^(Put).*

The communication channels required for sending RTM notifications can be configured in your Conformity account settings. The list of supported communication channels that you can use to receive notification alerts for unintended API calls are email, SMS, Slack, PagerDuty, Zendesk, and ServiceNow.