AWS API calls indicating DynamoDB privilege escalation
Description
AlphaSOC detected an IAM policy change granting full CRUD (Create, Read, Update,
Delete) permissions on AWS DynamoDB resources. This detection identifies
policies combining dynamodb:Create*/Put*, dynamodb:Get*/Describe*/Scan*,
dynamodb:Update*, and dynamodb:Delete* permissions. The detection triggers
on CreatePolicy, CreatePolicyVersion, PutUserPolicy, PutGroupPolicy,
PutRolePolicy, AttachUserPolicy, AttachRolePolicy, AttachGroupPolicy
events that introduce these permissions.
Full CRUD permissions grant complete control over DynamoDB operations across the environment. Threat actors can scan tables to access sensitive data including user data and business records, or delete tables and items to disrupt services.
Impact
If exploited, the attacker gains unrestricted access to DynamoDB databases, enabling mass data exfiltration of sensitive information including credentials, payment data, and user records. This can lead to data breaches, regulatory violations, and reputational damage. Additionally, the attacker can delete or modify tables and items, causing service disruptions, data loss, and operational downtime.
Severity
| Severity | Condition |
|---|---|
Low | AWS API calls indicating DynamoDB privilege escalation |
Investigation and Remediation
Check CloudTrail for the PutUserPolicy, PutGroupPolicy, PutRolePolicy, or
Attach\*Policy event that added DynamoDB permissions. Identify the target
principal and review requestParameters to examine the exact permissions
granted. Verify whether full CRUD permissions are required for legitimate use,
as database access should typically be scoped to specific tables and limited
operations.
If unauthorized, immediately detach or delete the policy. Review CloudTrail for
Scan, Query, GetItem, CreateTable, PutItem, UpdateItem,
DeleteTable, or DeleteItem actions performed by the affected principal.
Review table modifications for unauthorized updates to user permissions,
authentication tokens, or business records. Check table exports, backup
configurations, and DynamoDB streams for unauthorized activity. If data was
modified or deleted, restore affected tables using backups. Rotate credentials
for the affected principal and review access patterns for applications using
potentially compromised tables.
Known False Positives
- Authorized database administrators provisioning DynamoDB management permissions for centralized data operations
- Infrastructure-as-code deployments creating service roles for automated database management