Summary
The rule titled "AWS Redshift Cluster Creation" is designed to detect unauthorized creation of Amazon Redshift clusters, particularly focusing on instances where non-administrative users initiate the action. Such activity may hint at improper permission settings, indicating a potential security threat that could lead to data exfiltration or vulnerabilities within the AWS environment. The rule queries CloudTrail logs for successful CreateCluster events by non-admin users, flagged for review if deemed unexpected. Investigative steps suggested include reviewing logs for actions pertaining to cluster creation, examining user IAM roles for permission validation, checking cluster configurations against security best practices, and tracking user activity for unusual patterns. False positives may arise from legitimate administrative actions or automated processes; thus, establishing exceptions or refining monitoring to specific contexts is recommended. In response to detection, immediate isolation of suspicious clusters, auditing of involved user permissions, and notification of security teams are crucial remediation steps. A robust setup and integration with AWS Fleet or Filebeat is required for the rule to function effectively.
Categories
- Cloud
- AWS
Data Sources
- Cloud Storage
- Network Traffic
- Application Log
Created: 2022-04-12