Suspicious AWS API calls indicating AWS Firehose delivery stream destination change
Description
AlphaSOC detected modifications to an Amazon Data Firehose delivery stream destination. Data Firehose is a fully managed service that securely delivers real-time streaming data to specified destinations within AWS infrastructure or to custom endpoints. The detected configuration changes affect the destination path of streaming data and its processing parameters.
Impact
Modifying Firehose destinations can result in data exfiltration, loss of audit trails, and disruption of logging mechanisms. This allows threat actors to hide their activities and maintain persistence while avoiding detection. Critical security events and operational data may be lost or redirected to an adversary-controlled endpoints.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent, or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review CloudTrail logs to determine who modified the Firehose configuration. Compare the new destination against approved endpoints and validate the change against existing change management records. If the modification is unauthorized, revert the configuration to its previous state. Conduct an audit of IAM permissions related to Firehose management to prevent unauthorized access.