Suspicious AWS API calls indicating infrastructure modification using CloudFormation
Description.
AlphaSOC detected an unexpected use of AWS CloudFormation APIs to modify infrastructure, including creating, updating, and managing stacks, stack sets, and stack instances. AWS CloudFormation is a service that enables organizations to automate the deployment and management of cloud infrastructure through Infrastructure as Code (IaC). These unauthorized modifications can threaten the security and integrity of an organization's AWS environment and should be investigated.
Impact
Threat actors could exploit these AWS CloudFormation to establish persistence, escalate privileges, or deploy malicious resources.
Severity
Severity | Condition |
---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Analyze AWS CloudTrail logs to determine the source and context of the CloudFormation API calls and verify if the actions were authorized. If not, review the templates used and resources created or modified, identify unauthorized modifications and revert them, revoke IAM credentials associated with the unauthorized API calls.
Known False Positives
- Legitimate updates performed by authorized DevOps or cloud engineering teams
- Testing or development activities in sandbox or non-production environments