AWS ElastiCache security group modified
Description
AlphaSOC detected modifications to an AWS ElastiCache security group through
actions such as DeleteCacheSecurityGroup
,
AuthorizeCacheSecurityGroupIngress
, or RevokeCacheSecurityGroupIngress
.
Threat actors may exploit these actions to evade detection. AWS ElastiCache
security groups serve as virtual firewalls, controlling traffic with rules based
on IP ranges, protocols, and ports.
Impact
Unauthorized modifications to AWS ElastiCache security groups can expose cache instances to potential attacks by allowing unintended network access. This could lead to unauthorized access to the AWS environment, data breaches, or service disruptions.
Severity
Severity | Condition |
---|---|
Informational | AWS ElastiCache security group modified |
Low | AWS ElastiCache security group modified unexpectedly |
Investigation and Remediation
Review AWS CloudTrail logs to identify the AWS IAM user or role that performed the actions and verify whether it was authorized. If unauthorized, revert any changes made and rotate any potentially compromised credentials.
Known False Positives
- Authorized administrators making planned changes to AWS ElastiCache security groups