Skip to main content

AWS ElastiCache security group modified

ID:aws_elasticache_security_group_modified
Data type:AWS CloudTrail
Severity:
Informational
-
Low
MITRE ATT&CK:TA0005:T1562.007

Description

AlphaSOC detected modifications to an AWS ElastiCache security group through actions such as DeleteCacheSecurityGroup, AuthorizeCacheSecurityGroupIngress, or RevokeCacheSecurityGroupIngress. Threat actors may exploit these actions to evade detection. AWS ElastiCache security groups serve as virtual firewalls, controlling traffic with rules based on IP ranges, protocols, and ports.

Impact

Unauthorized modifications to AWS ElastiCache security groups can expose cache instances to potential attacks by allowing unintended network access. This could lead to unauthorized access to the AWS environment, data breaches, or service disruptions.

Severity

SeverityCondition
Informational
AWS ElastiCache security group modified
Low
AWS ElastiCache security group modified unexpectedly

Investigation and Remediation

Review AWS CloudTrail logs to identify the AWS IAM user or role that performed the actions and verify whether it was authorized. If unauthorized, revert any changes made and rotate any potentially compromised credentials.

Known False Positives

  • Authorized administrators making planned changes to AWS ElastiCache security groups