Detection rules › Panther
Amazon Machine Image (AMI) Modified to Allow Public Access
An Amazon Machine Image (AMI) was modified to allow it to be launched by anyone. Any sensitive configuration or application data stored in the AMI's block devices is at risk.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Exfiltration | T1537 Transfer Data to Cloud Account |
Rule body yaml
AnalysisType: rule
Filename: aws_ami_modified_for_public_access.py
RuleID: "AWS.CloudTrail.AMIModifiedForPublicAccess"
DisplayName: "Amazon Machine Image (AMI) Modified to Allow Public Access"
Enabled: true
LogTypes:
- AWS.CloudTrail
Tags:
- AWS
- Exfiltration:Transfer Data to Cloud Account
Severity: Medium
Reports:
MITRE ATT&CK:
- TA0010:T1537
Description: >
An Amazon Machine Image (AMI) was modified to allow it to be launched by anyone.
Any sensitive configuration or application data stored in the AMI's block devices is at risk.
Runbook: |
Determine if the AMI is intended to be publicly accessible.
If not, first modify the AMI to not be publicly accessible then change any sensitive data stored
in the block devices associated to the AMI (as they may be compromised).
Reference: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-intro.html
SummaryAttributes:
- userAgent
- sourceIpAddress
- recipientAccountId
- p_any_aws_arns
Tests:
- Name: AMI Made Public
ExpectedResult: true
Log:
{
"awsRegion": "us-west-2",
"eventID": "1111",
"eventName": "ModifyImageAttribute",
"eventSource": "ec2.amazonaws.com",
"eventTime": "2019-01-01T00:00:00Z",
"eventType": "AwsApiCall",
"eventVersion": "1.05",
"recipientAccountId": "123456789012",
"requestID": "1111",
"requestParameters":
{
"attributeType": "launchPermission",
"imageId": "ami-1111",
"launchPermission": { "add": { "items": [{ "group": "all" }] } },
},
"responseElements": { "_return": true },
"sourceIPAddress": "111.111.111.111",
"userAgent": "Mozilla/2.0 (compatible; NEWT ActiveX; Win32)",
"userIdentity":
{
"accessKeyId": "1111",
"accountId": "123456789012",
"arn": "arn:aws:sts::123456789012:assumed-role/example-role/example-user",
"principalId": "1111",
"sessionContext":
{
"attributes":
{
"creationDate": "2019-01-01T00:00:00Z",
"mfaAuthenticated": "true",
},
"sessionIssuer":
{
"accountId": "123456789012",
"arn": "arn:aws:iam::123456789012:role/example-role",
"principalId": "1111",
"type": "Role",
"userName": "example-role",
},
"webIdFederationData": {},
},
"type": "AssumedRole",
},
}
- Name: AMI Not Made Public
ExpectedResult: false
Mocks:
- objectName: check_account_age
returnValue: False
Log:
{
"awsRegion": "us-west-2",
"eventID": "1111",
"eventName": "ModifyImageAttribute",
"eventSource": "ec2.amazonaws.com",
"eventTime": "2019-01-01T00:00:00Z",
"eventType": "AwsApiCall",
"eventVersion": "1.05",
"recipientAccountId": "123456789012",
"requestID": "1111",
"requestParameters":
{
"attributeType": "launchPermission",
"imageId": "ami-1111",
"launchPermission":
{ "add": { "items": [{ "group": "not-all" }] } },
},
"responseElements": { "_return": true },
"sourceIPAddress": "111.111.111.111",
"userAgent": "Mozilla/2.0 (compatible; NEWT ActiveX; Win32)",
"userIdentity":
{
"accessKeyId": "1111",
"accountId": "123456789012",
"arn": "arn:aws:sts::123456789012:assumed-role/example-role/example-user",
"principalId": "1111",
"sessionContext":
{
"attributes":
{
"creationDate": "2019-01-01T00:00:00Z",
"mfaAuthenticated": "true",
},
"sessionIssuer":
{
"accountId": "123456789012",
"arn": "arn:aws:iam::123456789012:role/example-role",
"principalId": "1111",
"type": "Role",
"userName": "example-role",
},
"webIdFederationData": {},
},
"type": "AssumedRole",
},
}
- Name: AMI Launch Permissions Not Modified
ExpectedResult: false
Mocks:
- objectName: check_account_age
returnValue: False
Log:
{
"awsRegion": "us-west-2",
"eventID": "1111",
"eventName": "ModifyImageAttribute",
"eventSource": "ec2.amazonaws.com",
"eventTime": "2019-01-01T00:00:00Z",
"eventType": "AwsApiCall",
"eventVersion": "1.05",
"recipientAccountId": "123456789012",
"requestID": "1111",
"requestParameters":
{
"attributeType": "someThing",
"imageId": "ami-1111",
"someThing": { "add": { "items": [{ "group": "all" }] } },
},
"responseElements": { "_return": true },
"sourceIPAddress": "111.111.111.111",
"userAgent": "Mozilla/2.0 (compatible; NEWT ActiveX; Win32)",
"userIdentity":
{
"accessKeyId": "1111",
"accountId": "123456789012",
"arn": "arn:aws:sts::123456789012:assumed-role/example-role/example-user",
"principalId": "1111",
"sessionContext":
{
"attributes":
{
"creationDate": "2019-01-01T00:00:00Z",
"mfaAuthenticated": "true",
},
"sessionIssuer":
{
"accountId": "123456789012",
"arn": "arn:aws:iam::123456789012:role/example-role",
"principalId": "1111",
"type": "Role",
"userName": "example-role",
},
"webIdFederationData": {},
},
"type": "AssumedRole",
},
}
- Name: AMI Added to User
ExpectedResult: false
Mocks:
- objectName: check_account_age
returnValue: False
Log:
{
"awsRegion": "us-west-2",
"eventID": "1111",
"eventName": "ModifyImageAttribute",
"eventSource": "ec2.amazonaws.com",
"eventTime": "2019-01-01T00:00:00Z",
"eventType": "AwsApiCall",
"eventVersion": "1.05",
"recipientAccountId": "123456789012",
"requestID": "1111",
"requestParameters":
{
"attributeType": "launchPermission",
"imageId": "ami-1111",
"launchPermission": { "add": { "items": [{ "userId": "bob" }] } },
},
"responseElements": { "_return": true },
"sourceIPAddress": "111.111.111.111",
"userAgent": "Mozilla/2.0 (compatible; NEWT ActiveX; Win32)",
"userIdentity":
{
"accessKeyId": "1111",
"accountId": "123456789012",
"arn": "arn:aws:sts::123456789012:assumed-role/example-role/example-user",
"principalId": "1111",
"sessionContext":
{
"attributes":
{
"creationDate": "2019-01-01T00:00:00Z",
"mfaAuthenticated": "true",
},
"sessionIssuer":
{
"accountId": "123456789012",
"arn": "arn:aws:iam::123456789012:role/example-role",
"principalId": "1111",
"type": "Role",
"userName": "example-role",
},
"webIdFederationData": {},
},
"type": "AssumedRole",
},
}
- Name: Error Making AMI Public
ExpectedResult: false
Log:
{
"awsRegion": "us-west-2",
"errorCode": "UnauthorizedOperation",
"eventID": "1111",
"eventName": "ModifyImageAttribute",
"eventSource": "ec2.amazonaws.com",
"eventTime": "2019-01-01T00:00:00Z",
"eventType": "AwsApiCall",
"eventVersion": "1.05",
"recipientAccountId": "123456789012",
"requestID": "1111",
"requestParameters":
{
"attributeType": "launchPermission",
"imageId": "ami-1111",
"launchPermission": { "add": { "items": [{ "group": "all" }] } },
},
"responseElements": { "_return": true },
"sourceIPAddress": "111.111.111.111",
"userAgent": "Mozilla/2.0 (compatible; NEWT ActiveX; Win32)",
"userIdentity":
{
"accessKeyId": "1111",
"accountId": "123456789012",
"arn": "arn:aws:sts::123456789012:assumed-role/example-role/example-user",
"principalId": "1111",
"sessionContext":
{
"attributes":
{
"creationDate": "2019-01-01T00:00:00Z",
"mfaAuthenticated": "true",
},
"sessionIssuer":
{
"accountId": "123456789012",
"arn": "arn:aws:iam::123456789012:role/example-role",
"principalId": "1111",
"type": "Role",
"userName": "example-role",
},
"webIdFederationData": {},
},
"type": "AssumedRole",
},
}
- Name: Access Granted To Unknown User
ExpectedResult: true
Mocks:
- objectName: check_account_age
returnValue: True
Log:
{
"awsRegion": "us-west-2",
"eventID": "1111",
"eventName": "ModifyImageAttribute",
"eventSource": "ec2.amazonaws.com",
"eventTime": "2019-01-01T00:00:00Z",
"eventType": "AwsApiCall",
"eventVersion": "1.05",
"recipientAccountId": "123456789012",
"requestID": "1111",
"requestParameters":
{
"attributeType": "launchPermission",
"imageId": "ami-1111",
"launchPermission":
{ "add": { "items": [{ "userId": "012345678901" }] } },
},
"responseElements": { "_return": true },
"sourceIPAddress": "111.111.111.111",
"userAgent": "Mozilla/2.0 (compatible; NEWT ActiveX; Win32)",
"userIdentity":
{
"accessKeyId": "1111",
"accountId": "123456789012",
"arn": "arn:aws:sts::123456789012:assumed-role/example-role/example-user",
"principalId": "1111",
"sessionContext":
{
"attributes":
{
"creationDate": "2019-01-01T00:00:00Z",
"mfaAuthenticated": "true",
},
"sessionIssuer":
{
"accountId": "123456789012",
"arn": "arn:aws:iam::123456789012:role/example-role",
"principalId": "1111",
"type": "Role",
"userName": "example-role",
},
"webIdFederationData": { },
},
"type": "AssumedRole",
},
}
Detection logic
Condition
not (errorCode is_not_null or errorMessage is_not_null or eventName ne "ModifyImageAttribute")
This rule also runs imperative logic the parser cannot express as a filter; the conditions above are the structured part it could extract.
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
errorCode | is_not_null | |
errorMessage | is_not_null | |
eventName | ne | ModifyImageAttribute |
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field |
|---|
eventName |
eventSource |
awsRegion |
recipientAccountId |
sourceIPAddress |
userAgent |
userIdentity |