aws-credential-compromise-detection – Detecting Credential Compromise in AWS

0
0

Public cloud is allowing many companies to operate faster by creating environments in a short period of time and cheaper by reducing expenses of software , hardware and licensing. With all benefits of public cloud usage we have as always security concerns. the idea behind using the cloud is to make your application and system running on internet and there is the threat of credential compromise.

Attacker motivation in public cloud can be from minimal impact like bitcoin mining to generate income, spreading malware to use compromised instance in DDoS attack or higher impact such as compromising data and sensitive information. If you are looking for a tool to investigate and detect AWS Credential compromise you can check aws-credential-compromise-detection tool.

This tool will help in analyzing Cloudtrail logs to detect if an AWS key were used from an external IP address. the script include a whitelist that will assists in whistling external IP that can be approved by the system administrator or a whitelist for private subnets “100.64.0.0/10, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16”. So the idea behind aws-credential-compromise-detection is to look into logs and analyze source of API calls.

aws-credential-compromise-detection - Detecting Credential Compromise in AWS

aws-credential-compromise-detection – Detecting Credential Compromise in AWS

This will be a good way to detect and alert of suspicious and malicious activity in AWS account while the recommendation is to restrict user account permissions and to rotate keys so they are going to be expired within a predefined period. Auditing , hardening and monitoring the online activities should come on the first place with highest priority.

You can read more and download the tool over here: https://github.com/Netflix-Skunkworks/

Share