
Summary
The AWS Resource Made Public detection rule is designed to monitor and alert when AWS resources such as Elastic Container Registry (ECR), Amazon S3, Amazon KMS, Elasticsearch, Amazon SNS, SQS, and Secrets Manager are inadvertently made public. The detection leverages AWS CloudTrail logs to identify changes to resource policies that allow public access. Key log events include the `SetRepositoryPolicy` for ECR and the `PutBucketPolicy` for S3 where the policy specifies `Principal: *`, indicating that the resource is publicly accessible. The rule identifies various test cases to validate when public access is granted or denied, helping organizations maintain stricter security over their resources, thus mitigating the risk of data exfiltration and unauthorized access. The severity of the rule is classified as Medium, and the suggested runbook action is to adjust resource policies to ensure they are not publicly accessible.
Categories
- Cloud
- AWS
Data Sources
- Cloud Service
- Logon Session
- Cloud Storage
- Web Credential
ATT&CK Techniques
- T1537
- T4444
Created: 2022-09-02