Key fields

CloudTrail events share a common and unified log schema, that notably includes the following fields of interest:

Field name Description
eventTime Event timestamp in UTC.
awsRegion The AWS region the request was made to, such as us-east-1.
eventSource The service the request was made to.

Such as s3.amazonaws.com for S3 buckets, sts.amazonaws.com for the Security Token Service (STS) for temporary credentials request, etc.
eventName The request action, matching one of the AWS API for that service.

For example, AssumeRole, ListBuckets, SendCommand, etc.
errorCode
The error code and human-readable error message associated with an event if (and only if) the operation failed.
readOnly Whether the operation induced a change or is a read-only operation (true or false).
userIdentity Information about the principal that made the request.

* userIdentity.type: the type of the identity.
Possible types:
- Root: account root user.
- IAMUser: IAM user.
- AssumedRole: temporary security credentials obtained with a role by making a call to the AWS STS’s AssumeRole API.
- Role:
- FederatedUser: temporary security credentials for a federated user (Active Directory, AWS Directory Service, etc.), obtained via a call to the AWS STS’s GetFederationToken API. - AWSAccount: An account from another tenant/AWS account.
- AWSService: AWS account that belongs to an AWS service.

* [Optional] userIdentity.userName: Human readable name of the identity that made the call.
Generally only available for IAMUser or Root identity.

* [Optional] userIdentity.arn: ARN of the entity (user or role) that made the call.

* [Optional] userIdentity.principalId: Unique identifier for the entity that made the call.
For temporary security credentials, this value includes the session name. For instance, for AssumedRole events, the principalId is the unique identifier that contains the role ID and the role session name returned in the AssumeRole event’s responseElements.assumedRoleUser.assumedRoleId.

* [Optional] userIdentity.accountId: The account that owns the entity that granted permissions for the request

* [Optional] userIdentity.accessKeyId: The eventual access key ID that was used to make the request.
Access key IDs beginning with AKIA are long-term credentials (for an IAM user or the AWS account root user) while access key IDs beginning with ASIA are temporary credentials (created using AWS STS operations).

* [Optional] userIdentity.sessionContext: Populated for requests made with temporary security credentials to contain information about the session that was created.
userIdentity.sessionContext.creationDate: when the session was created.
userIdentity.sessionContext.mfaAuthenticated: whether the initial credentials were authenticated MFA.
userIdentity.sessionContext.:
userIdentity.sessionContext.sourceIdentity: the original identity (user or role) making the request (with type, arn, userName sub-fields).
sourceIPAddress The IP address that the request was made from.

For requests from services within AWS, only the DNS name of the service (for example ec2.amazonaws.com) is displayed.
userAgent The User-Agent associated with the request was made.
sessionCredentialFromConsole Whether the operation was conducted through the web console (true or false).
resources A list of resource(s) accessed/impacted by the operation associated with the event.

For each resource, the following fields may be available:
- type: resource type identifier (in the format: AWS::<AWS_SERVICE_NAME>::<AWS_DATA_TYPE_NAME>).
- ARN: ARN of the resource.
- accountId: account that owns the resource.
requestParameters The parameters, if any, that were sent with the request.

For example, requestParameters.bucketName, requestParameters.userName, etc.
responseElements The response element(s) for actions that make changes (create, update, or delete actions).

For example, responseElements.user.createDate, responseElements.accessKey.accessKeyId, etc.

Notable API events

eventSource eventName Type Description
sts.amazonaws.com GetCallerIdentity Reconnaissance Return details about the IAM user or role whose credentials are used to call the operation.
iam.amazonaws.com ListUsers Reconnaissance Enumerate the IAM users in the AWS account, that match the optional specified path prefix requestParameters.pathPrefix.
iam.amazonaws.com ListRoles Reconnaissance Enumerate the IAM roles in the AWS account, that match the optional specified path prefix requestParameters.pathPrefix.
iam.amazonaws.com ListGroups Reconnaissance Enumerate the IAM groups in the AWS account, that match the optional specified path prefix requestParameters.pathPrefix.
iam.amazonaws.com ListGroupsForUser Reconnaissance List the IAM groups that the specified IAM user (by requestParameters.userName) belongs to.
iam.amazonaws.com ListPolicies Reconnaissance Enumerate the IAM policies in the AWS account, that match the optional specified path prefix requestParameters.pathPrefix.
iam.amazonaws.com ListAttachedUserPolicies

ListAttachedGroupPolicies

ListAttachedRolePolicies		 Reconnaissance List the managed policies that are attached to the specified IAM user/group/role.

Notable fields:
ListAttachedUserPolicies: requestParameters.userName
ListAttachedGroupPolicies: requestParameters.groupName
ListAttachedRolePolicies: requestParameters.roleName
iam.amazonaws.com ListUserPolicies

ListGroupPolicies

ListRolePolicies		 Reconnaissance List the names of the inline policies embedded in the specified IAM user/group/role.

Notable fields:
ListUserPolicies: requestParameters.userName
ListGroupPolicies: requestParameters.groupName
ListRolePolicies: requestParameters.roleName
iam.amazonaws.com GetPolicy Reconnaissance Get information about the specified managed policy (by requestParameters.policyArn), including the policy’s default version and the total number of IAM users, groups, and roles to the policy is attached to.
iam.amazonaws.com GetPolicyVersion Reconnaissance Get information about the specified version of the specified managed policy, including the policy document.

Notable fields:
requestParameters.policyArn
requestParameters.versionId
s3.amazonaws.com ListBuckets Reconnaissance List the buckets owned by the authenticated sender of the request.
ec2.amazonaws.com GetConsoleScreenshot Reconnaissance Take a screenshot of a running instance.

Notable fields:
requestParameters.instanceId
requestParameters.wakeUp: whether a keystroke input should be simulated to wake up an instance in standby.
ec2.amazonaws.com DescribeInstances Reconnaissance Enumerate and retrieve information on all or the specified instances.

Notable fields:
requestParameters.instanceId: optional list of instance id(s) to enumerate.
requestParameters.filter: optional filter(s).
sts.amazonaws.com AssumeRole Privilege escalation Return a set of temporary security credentials that can be used to access AWS resources under the privileges granted by the role. A role is a set of policies.

Can be called by IAM principal (user or role).

Notable fields:
requestParameters.roleArn: The ARN of the role to assume.
requestParameters.roleSessionName: a unique identifier (in the form of i-089eb6ce74072ae1f) to identify the session.
requestParameters.durationSeconds: the validity period of the temporary credentials. Minimum value of 900 seconds up to the maximum session duration set for the role (maximum 43200 seconds).

responseElements.assumedRoleUser.arn: the ARN of the temporary security credentials, that will be logged under userIdentity.arn (for API calls made during the session).
responseElements.assumedRoleUser.assumedRoleId: a unique identifier containing the role ID and the role session name, that will be logged under userIdentity.principalId (for API calls made during the session).
responseElements.credentials.accessKeyId: the access key ID that identifies the temporary security credentials, that will be logged under userIdentity.accessKeyId (for API calls made during the session).
responseElements.credentials.expiration: the date on which the current credentials expire.
sso.amazonaws.com GetRoleCredentials Privilege escalation Return a set of temporary security credentials.

Similar to AssumeRole, but can (and must) be called by AWS SSO users, which are not directly IAM principals. AWS SSO users can have permission to assume IAM roles and must do so through GetRoleCredentials.

Notable fields: requestParameters.roleName
responseElements.credentials.roleCredentials.accessKeyId
responseElements.credentials.roleCredentials.expiration
iam.amazonaws.com AttachUserPolicy

AttachGroupPolicy

AttachRolePolicy		 Privilege escalation Attach the specified managed policy to the specified IAM user/group/role. A policy is the most atomic level of privileges that can be granted.

As a privilege escalation path, the compromised user may be a member of the impacted group or may be able to assume the impacted role.

Notable fields:
requestParameters.policyArn

AttachUserPolicy: requestParameters.userName
AttachGroupPolicy requestParameters.groupName:
AttachRolePolicy: requestParameters.roleName
iam.amazonaws.com PutUserPolicy

PutGroupPolicy

PutRolePolicy		 Privilege escalation Add (or update) an inline policy embedded in the specified IAM user/group/role. A policy is the most atomic level of privileges that can be granted.

Notable fields:
requestParameters.policyName
requestParameters.policyDocument: policy in JSON format.

PutUserPolicy: requestParameters.userName
PutGroupPolicy: requestParameters.groupName
PutRolePolicy: requestParameters.roleName
iam.amazonaws.com CreatePolicyVersion Privilege escalation Create a new version of the specified managed IAM policy, allowing the definition of new permissions (ultimately granted to IAM users, groups, or Roles the policy is linked to).

Notable fields:
requestParameters.policyArn
requestParameters.policyDocument: policy in JSON format.
requestParameters.setAsDefault: whether the new policy version should be set as default, i.e should become the operative version (true of false).
iam.amazonaws.com SetDefaultPolicyVersion Privilege escalation Set the specified preexisting version of the specified policy as the policy’s default (operative) version.

The policy version set will impact the IAM users, groups, or Roles the policy is linked to, potentially opening privilege escalation vectors.

Notable fields:
requestParameters.policyArn
requestParameters.versionId
iam.amazonaws.com AddUserToGroup Privilege escalation

Persistence		 Add the specified user to the specified group.

Notable fields:
requestParameters.userName
requestParameters.groupName
iam.amazonaws.com CreateAccessKey Privilege escalation

Persistence		 Create a new AWS secret access key for the user specified by requestParameters.userName.

Notable fields:
responseElements.accessKey.accessKeyId
responseElements.accessKey.createDate
responseElements.accessKey.status
responseElements.accessKey.userName
iam.amazonaws.com CreateLoginProfile Privilege escalation

Persistence		 Create a password for the user specified by requestParameters.userName (to allow the user to access the AWS Management Console).

As a privilege escalation vector, a user (userIdentity.userName) can create a password for a (more privileged) user (requestParameters.userName) to connect as the user through the management console and elevate privileges.
iam.amazonaws.com UpdateLoginProfile Privilege escalation

Persistence		 Create a password for the user specified by requestParameters.userName (to allow the user to access the AWS Management Console).

As a privilege escalation vector, a user (userIdentity.userName) can reset the password of a (more privileged) user (requestParameters.userName) to compromise that user and elevate privileges.
ec2.amazonaws.com RunInstances Execution

Persistence		 Create and run new EC2 instance(s).

Notable fields:
requestParameters.instanceType

The requestParameters.instancesSet.items{} list contains (for each request instance):
imageId
tags{} list with a Key=Name with Value=<INSTANCE_NAME>
keyName for the key credentials associated with the instance.

The responseElements.instancesSet.items{} list contains (for each created instance):
instanceId
keyName
subnetId
privateIpAddress
ssm.amazonaws.com SendCommand Execution Run command(s) on one or more instances.

Notable fields:
requestParameters.instanceIds/responseElements.command.instanceIds: list of instance ids for the command execution.
requestParameters.documentName/responseElements.documentName: name of the SSM document to run (such as AWS-RunShellScript or AWS-RunPowerShellScript).
requestParameters.parameters: required and optional parameters specified in the document being run (can be HIDDEN_DUE_TO_SECURITY_REASONS for shell/powershell execution).
ssm.amazonaws.com StartSession Execution Initiate a connection to the target instance.

Notable fields:
requestParameters.target: target instance id.
responseElements.sessionId: identifier of the session.
responseElements.streamUrl: an URL on the target instance SSM Agent used by the Session Manager client to send commands and receive output.
responseElements.tokenValue: a token used to authenticate the connection (hidden in CloudTrail).
ssm.amazonaws.com ResumeSession Execution Reconnect a connection after it has been disconnected (but not terminated).

Notable fields:
requestParameters.sessionId: identifier of the disconnected session.
responseElements.sessionId: identifier of the session.
responseElements.streamUrl: an URL on the target instance SSM Agent used by the Session Manager client to send commands and receive output.
responseElements.tokenValue: a token used to authenticate the connection (hidden in CloudTrail).
ec2.amazonaws.com GetPasswordData Execution

Persistence		 Retrieves the encrypted administrator password for a running Windows instance. The password is encrypted with the key pair specified when the instance was launched.

Notable fields:
requestParameters.instanceId
ec2.amazonaws.com ModifyInstanceAttribute Execution

Persistence		 Modify the specified attribute of the specified instance.

A modification of the userData attribute can be used to execute code at boot time, requiring a restart of a running instance (StopInstances then StartInstances).

Does not allow the modification of the long-terme key pair(s) associated with an instance. There is no AWS API to conduct such operation.

Notable fields:
requestParameters.instanceId
requestParameters.attribute (userData for the user data).
requestParameters.userData (specified user data).
ec2.amazonaws.com SendSSHPublicKey Execution Push a temporary SSH public key to the specified EC2 instance for use by the specified user. The key remains for 60 seconds. Used by the EC2 Instance Connect service for SSH access (directly or through the service web-based interface).

Notable fields:
requestParameters.instanceId
lambda.amazonaws.com CreateFunction Execution

Persistence		 Create a new Lambda function.

Notable fields:
requestParameters.functionName
requestParameters.code but doesn’t include the ZipFile parameter (that contains the base64-encoded contents of the deployment package).
lambda.amazonaws.com UpdateFunctionCode Execution

Persistence		 Update an existing Lambda function’s code.

Notable fields:
requestParameters.functionName
requestParameters.code but doesn’t include the ZipFile parameter (that contains the base64-encoded contents of the deployment package).
s3.amazonaws.com PutBucketAcl Exfiltration Set the ACL of the specified bucket. Note that the use of ACL for S3 is generally deprecated (in favor of using policy).

Notable fields:
requestParameters.bucket
requestParameters.AccessControlPolicy.AccessControlList.Grant.Grantee.URI array : URIs for the container for the entity being granted permissions.
If the array contains the string http://acs.amazonaws.com/groups/global/AuthenticatedUsers or http://acs.amazonaws.com/groups/global/AllUsers, the specified bucket is made public.
s3.amazonaws.com GetObject Data access AWS CloudTrail supports Amazon S3 Data Events, but is not enabled by default.

Retrieve objects from Amazon S3, via the associated API.

Access through the web interface (or a static website leveraging a S3 bucket) will not be logged under CloudTrail (but can be logged in S3 server access logs).
ses.amazonaws.com GetAccount

ListIdentities

VerifyEmailIdentity

UpdateAccountSendingEnabled

Impact (phishing) Obtain information about the email-sending status and capabilities of the Amazon SES account (in the current region).

Return a list containing all of the identities (email addresses and domains) of the Amazon SES account (in the current region).

Add an email address to the list of identities Amazon SES account (in the current region) and attempt to verify it.

Enable (or disables email) sending across the entire Amazon SES account in the current AWS Region.

Usage of these APIs by threat actors have been identified in the wild to conduct phishing campaigns following an identity compromise.
iam.amazonaws.com CreateUser Persistence Create a new AWS user in the account.

Notable fields:
responseElements.user.arn
responseElements.user.createDate
responseElements.user.userId
responseElements.user.userName
ec2.amazonaws.com CreateKeyPair Persistence Create a key pair with the specified name in the AWS Region.

Notable fields:
requestParameters.keyName/responseElements.keyName
responseElements.keyFingerprint
responseElements.keyPairId
ec2.amazonaws.com ImportKeyPair Persistence Import the public key (previously created), only providing the public key to AWS.

Notable fields:
requestParameters.keyName/responseElements.keyName
responseElements.keyFingerprint
responseElements.keyPairId
sts.amazonaws.com GetSessionToken Credentials access

Persistence		 Return a set of temporary credentials for an AWS account or IAM user.

The temporary security credentials created by GetSessionToken can be used to make API calls to any AWS service with the following exceptions:
- Calls to IAM API operations are prohibited unless MFA authentication information is included in the request.
- Calls to STS API are prohibited (except AssumeRole and GetCallerIdentity).

Notable fields:
responseElements.accessKeyId
responseElements.expiration

References

Tags: aws

View on GitHub