This the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

    AWS CloudTrail Falco rules

    Scroll Top APPRUNNER 4rules AUTOSCALING 2rules CLOUDSHELL 1rules CLOUDTRAIL 7rules CLOUDWATCH 3rules CONFIG 19rules CONSOLE 3rules DMS 1rules EBS 1rules EC2 20rules ECR 1rules ECS 8rules ECS EXEC 3rules EFS 1rules ELASTICSEARCH 2rules ELB 4rules FARGATE 8rules GUARDDUTY 6rules IAM 39rules KMS 5rules LAMBDA 6rules RDS 13rules ROUTE53 3rules S3 14rules SAGEMAKER 1rules SECRETSMANAGER 1rules SECURITYHUB 9rules VPC 14rules WAF 2rules OTHER 2rules

    Total 189 rules.

    APPRUNNER

    Create App Runner Service from Code Repository

    Detect the building and deployment of an App Runner service from a code repository.

    cloud aws aws_apprunner
    Create App Runner Service from Image Repository

    Detect the deployment of an App Runner service from an image repository.

    cloud aws aws_apprunner
    Delete App Runner Service

    Detect the deletion of an App Runner service.

    cloud aws aws_apprunner
    Deploy App Runner Service

    Detect the deployment of an App Runner service.

    cloud aws aws_apprunner

    AUTOSCALING

    Create Autoscaling Group without ELB Health Checks

    Detect the creation of an autoscaling group associated with with a load balancer which is not using health checks.

    cloud aws aws_autoscaling
    Update Autoscaling Group without ELB Health Checks

    Detect the update of an autoscaling group associated with with a load balancer which is not using health checks.

    cloud aws aws_autoscaling

    CLOUDSHELL

    CloudShell Environment Created

    Detect creation of a new Cloud Shell environment.

    cloud aws aws_cloudshell

    CLOUDTRAIL

    CloudTrail Trail Created

    Detect creation of a new trail.

    cloud aws aws_cloudtrail mitre_TA0009-collection mitre_T1530-data-from-cloud-storage-object
    CloudTrail Trail Deleted

    Detect deletion of an existing trail.

    cloud aws aws_cloudtrail mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
    CloudTrail Logfile Encryption Disabled

    Detect disabling the CloudTrail logfile encryption.

    cloud aws aws_cloudtrail
    CloudTrail Logfile Validation Disabled

    Detect disabling the CloudTrail logfile validation.

    cloud aws aws_cloudtrail
    CloudTrail Logging Disabled

    The CloudTrail logging has been disabled, this could be potentially malicious.

    cloud aws aws_cloudtrail mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
    CloudTrail Multi-region Disabled

    Detect disabling CloudTrail multi-region.

    cloud aws aws_cloudtrail
    CloudTrail Trail Updated

    Detect update of an existing trail.

    cloud aws aws_cloudtrail mitre_TA0009-collection mitre_TA0040-impact mitre_T1492-store-data-manipulation mitre_T1530-data-from-cloud-storage-object

    CLOUDWATCH

    CloudWatch Delete Alarms

    Detect deletion of an alarm.

    cloud aws aws_cloudwatch mitre_TA0005-defense-evasion mitre_T1066-indicator-removal-from-tools
    CloudWatch Delete Log Group

    Detect deletion of a CLoudWatch log group.

    cloud aws aws_cloudwatch mitre_TA0040-impact mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools mitre_T1485-data-destruction
    CloudWatch Delete Log Stream

    Detect deletion of a CLoudWatch log stream.

    cloud aws aws_cloudwatch mitre_TA0040-impact mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools mitre_T1485-data-destruction

    CONFIG

    Delete Config Rule

    Detect deletion of a configuration rule.

    cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
    Delete Configuration Aggregator

    Detect deletion of the configuration aggregator.

    cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
    Delete Configuration Recorder

    Detect deletion of the configuration recorder.

    cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
    Delete Conformance Pack

    Detect deletion of a conformance pack.

    cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
    Delete Delivery Channel

    Detect deletion of the delivery channel.

    cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
    Delete Organization Config Rule

    Detect deletion of an organization config rule.

    cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
    Delete Organization Conformance Pack

    Detect deletion of an organization conformance pack.

    cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
    Delete Remediation Configuration

    Detect deletion of a remediation configuration.

    cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
    Delete Retention Configuration

    Detect deletion of the retention configuration with details about retention period (number of days) that AWS Config stores historical information.

    cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
    Put Config Rule

    Detect addition or update in an AWS Config rule.

    cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
    Put Configuration Aggregator

    Detect creation and update of the configuration aggregator with the selected source accounts and regions.

    cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
    Put Conformance Pack

    Detect creation or update of a conformance pack.

    cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
    Put Delivery Channel

    Detect creation of a delivery channel.

    cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
    Put Organization Config Rule

    Detect addition or update in an AWS Organization Config rule.

    cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
    Put Organization Conformance Pack

    Detect deployment of conformance packs across member accounts in an AWS Organization.

    cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
    Put Remediation Configurations

    Detect addition or update of the remediation configuration with a specific AWS Config rule with the selected target or action.

    cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
    Put Remediation Exceptions

    Detect addition of a new exception or updates an existing exception for a specific resource with a specific AWS Config rule.

    cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
    Put Retention Configuration

    Detect creation or update of the retention configuration with details about retention period (number of days) that AWS Config stores historical information.

    cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
    Stop Configuration Recorder

    Detect stoping the configuration recorder.

    cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools

    CONSOLE

    Console Login Through Assume Role

    Detect a console login through Assume Role.

    cloud aws aws_console aws_iam
    Console Login Without MFA

    Detect a console login without MFA.

    cloud aws aws_console aws_iam
    Console Root Login Without MFA

    Detect root console login without MFA.

    cloud aws aws_console aws_iam mitre_TA0040-impact mitre_T1531-account-access-removal

    DMS

    Create Public DMS Replication Instance

    Detect creation of a public DMS replication instance.

    cloud aws aws_dms

    EBS

    EBS Volume Creation without Encryption at Rest

    Detect creation of an EBS volume without encryption at rest enabled.

    cloud aws aws_ebs

    EC2

    Allocate New Elastic IP Address to AWS Account

    Detect that a public IP address has been allocated to the account.

    cloud aws aws_ec2
    Associate Elastic IP Address to AWS Network Interface

    Detect that a public IP address has been associated with a network interface.

    cloud aws aws_ec2
    Authorize Security Group Egress

    Detect addition of the specified egress rules to a security group.

    cloud aws aws_ec2 mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
    Authorize Security Group Ingress

    Detect addition of the specified ingress rules to a security group.

    cloud aws aws_ec2 mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
    Create Snapshot

    Detect creation of an EBS volume snapshot and stores it in Amazon S3.

    cloud aws aws_ec2
    Delete Subnet

    Detect deletion of the specified subnet.

    cloud aws aws_ec2 mitre_TA0040-impact mitre_T1485-data-destruction
    Describe Instances

    Detect description of the specified EC2 instances or all EC2 instances.

    cloud aws aws_ec2
    Disable EBS Encryption by Default

    Detect disabling EBS encryption by default for an account in the current region.

    cloud aws aws_ec2 mitre_TA0040-impact mitre_T1492-store-data-manipulation
    Make EBS Snapshot Public

    Detect making public an EBS snapshot.

    cloud aws aws_ec2
    EC2 Serial Console Access Enabled

    Detect EC2 serial Console Acess enabled in the account for a specific region.

    cloud aws aws_ec2
    Get Password Data

    Detect retrieval of the encrypted administrator password for a running Windows instance.

    cloud aws aws_ec2 mitre_TA0003-persistence mitre_T1108-redundant-access
    Modify Image Attribute

    Detect modification of the specified attribute of the specified AMI.

    cloud aws aws_ec2 mitre_TA0010-exfiltration
    Modify Snapshot Attribute

    Detect addition or removal of permission settings for the specified EC2 snapshot.

    cloud aws aws_ec2 mitre_TA0010-exfiltration mitre_T1537-transfer-data-to-cloud-account
    Replace Route

    Detect replacing an existing route within a route table in a VPC.

    cloud aws aws_ec2 mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
    Revoke Security Group Egress

    Detect removal of the specified egress rules from a security group.

    cloud aws aws_ec2 mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
    Revoke Security Group Ingress

    Detect removal of the specified ingress rules from a security group.

    cloud aws aws_ec2 mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
    Run Instances in Non-approved Region

    Detect launching of a specified number of instances in a non-approved region.

    cloud aws aws_ec2
    Run Instances with Non-standard Image

    Detect launching of a specified number of instances with a non-standard image.

    cloud aws aws_ec2
    Run Instances

    Detect launching of a specified number of instances.

    cloud aws aws_ec2
    Delete Cluster

    Detect deletion of the specified cluster.

    cloud aws aws_ec2 mitre_TA0040-impact mitre_T1485-data-destruction

    ECR

    ECR Image Pushed

    Detect a new image has been pushed to an ECR registry

    cloud aws aws_ecr

    ECS

    ECS Service Created

    Detect a new service is created in ECS.

    cloud aws aws_ecs aws_fargate
    ECS Service Deleted

    Detect a service is deleted in ECS.

    cloud aws aws_ecs aws_fargate
    Execute Interactive Command inside an ECS Container

    Detect execution of an interactive command inside an ECS container.

    cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution mitre_T1059-command-and-scripting-interpreter
    Execute Command inside an ECS Container

    Detect execution of a command inside an ECS container.

    cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution
    ECS Task Run or Started

    Detect a new task is started in ECS.

    cloud aws aws_ecs aws_fargate
    ECS Task Stopped

    Detect a task is stopped in ECS.

    cloud aws aws_ecs aws_fargate
    Terminal Shell in ECS Container

    A terminal shell has been executed inside an ECS container.

    cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution mitre_T1059-command-and-scripting-interpreter mitre_T1059.004-unix-shell
    ECS Service Task Definition Updated

    Detect a service task definition is updated in ECS.

    cloud aws aws_ecs aws_fargate

    ECS EXEC

    Execute Interactive Command inside an ECS Container

    Detect execution of an interactive command inside an ECS container.

    cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution mitre_T1059-command-and-scripting-interpreter
    Execute Command inside an ECS Container

    Detect execution of a command inside an ECS container.

    cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution
    Terminal Shell in ECS Container

    A terminal shell has been executed inside an ECS container.

    cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution mitre_T1059-command-and-scripting-interpreter mitre_T1059.004-unix-shell

    EFS

    Create Unencrypted EFS

    Detect creation of an unencrypted elastic file system.

    cloud aws aws_efs

    ELASTICSEARCH

    Elasticsearch Domain Creation without Encryption at Rest

    Detect creation of an Elasticsearch domain without encryption at rest enabled.

    cloud aws aws_elasticsearch
    Elasticsearch Domain Creation without VPC

    Detect creation of an Elasticsearch domain without a VPC.

    cloud aws aws_elasticsearch

    ELB

    Create HTTP Target Group without SSL

    Detect creation of HTTP target group not using SSL.

    cloud aws aws_elb
    Create Internet-facing AWS Public Facing Load Balancer

    Detect creation of an AWS internet-facing load balancer.

    cloud aws aws_elb
    Delete Listener

    Detect deletion of the specified listener.

    cloud aws aws_elb mitre_TA0001-initial-access mitre_T1190-exploit-public-facing-application
    Modify Listener

    Detect replacing the specified properties of the specified listener.

    cloud aws aws_elb mitre_TA0001-initial-access mitre_T1190-exploit-public-facing-application

    FARGATE

    ECS Service Created

    Detect a new service is created in ECS.

    cloud aws aws_ecs aws_fargate
    ECS Service Deleted

    Detect a service is deleted in ECS.

    cloud aws aws_ecs aws_fargate
    Execute Interactive Command inside an ECS Container

    Detect execution of an interactive command inside an ECS container.

    cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution mitre_T1059-command-and-scripting-interpreter
    Execute Command inside an ECS Container

    Detect execution of a command inside an ECS container.

    cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution
    ECS Task Run or Started

    Detect a new task is started in ECS.

    cloud aws aws_ecs aws_fargate
    ECS Task Stopped

    Detect a task is stopped in ECS.

    cloud aws aws_ecs aws_fargate
    Terminal Shell in ECS Container

    A terminal shell has been executed inside an ECS container.

    cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution mitre_T1059-command-and-scripting-interpreter mitre_T1059.004-unix-shell
    ECS Service Task Definition Updated

    Detect a service task definition is updated in ECS.

    cloud aws aws_ecs aws_fargate

    GUARDDUTY

    Delete Detector

    Detect deletion of an Amazon GuardDuty detector.

    cloud aws aws_guardduty mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
    Guard Duty Delete Members

    Detect deletion of GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs.

    cloud aws aws_guardduty mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
    Disable GuardDuty

    Detect disabling of GuardDuty.

    cloud aws aws_guardduty
    Guard Duty Disassociate from Master Account

    Detect disassociation of the current GuardDuty member account from its administrator account.

    cloud aws aws_guardduty mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
    Guard Duty Disassociate Members

    Detect disassociation of GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs.

    cloud aws aws_guardduty mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
    Stop Monitoring Members

    Detect stopping GuardDuty monitoring for the specified member accounts.

    cloud aws aws_guardduty mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools

    IAM

    Console Login Failure

    Detect a console login failure

    cloud aws aws_iam
    Console Login Success From Untrusted IP

    Detect a console login success from an untrusted IP address

    cloud aws aws_iam
    Console Login Success

    Detect a console login success

    cloud aws aws_iam
    Console Login Through Assume Role

    Detect a console login through Assume Role.

    cloud aws aws_console aws_iam
    Console Login Without MFA

    Detect a console login without MFA.

    cloud aws aws_console aws_iam
    Console Root Login Without MFA

    Detect root console login without MFA.

    cloud aws aws_console aws_iam mitre_TA0040-impact mitre_T1531-account-access-removal
    Logged in without Using MFA

    (DEPRECATED) Detect user login without using MFA (multi-factor authentication). Use "Console Login Without MFA" instead.

    cloud aws aws_iam
    Password Recovery Requested

    Detect AWS IAM password recovery requests.

    cloud aws aws_iam mitre_TA0001-initial-access mitre_T1078-valid-accounts
    Put Inline Policy in Group to Allow Access to All Resources

    Detect putting an inline policy in a group that allows access to all resources.

    cloud aws aws_iam
    Create Access Key for Root User

    Detect creation of an access key for root.

    cloud aws aws_iam mitre_TA0001-initial-access mitre_T1078-valid-accounts
    Deactivate Hardware MFA for Root User

    Detect deactivating hardware MFA configuration for root.

    cloud aws aws_iam
    Deactivate MFA for Root User

    Detect deactivating MFA configuration for root.

    cloud aws aws_iam
    Deactivate Virtual MFA for Root User

    Detect deactivating virtual MFA configuration for root.

    cloud aws aws_iam
    Delete Virtual MFA for Root User

    Detect deleting MFA configuration for root.

    cloud aws aws_iam pcs_dss_iam.5
    Root User Executing AWS Command

    Detect root user executing AWS command.

    cloud aws aws_iam
    Add AWS User to Group

    Detect adding an user to a group.

    cloud aws aws_iam
    Attach Administrator Policy

    Detect attaching an administrator policy to a user.

    cloud aws aws_iam
    Attach IAM Policy to User

    Detect attaching an IAM policy to a user.

    cloud aws aws_iam
    Create Group

    Detect creation of a new user group.

    cloud aws aws_iam mitre_TA0003-persistence mitre_T1108-redundant-access
    Create Security Group Rule Allowing SSH Ingress

    Detect creation of security group rule allowing SSH ingress.

    cloud aws aws_iam
    Create Security Group Rule Allowing Ingress Open to the World

    Detect creation of security group rule allowing ingress open to the world.

    cloud aws aws_iam
    Create AWS user

    Detect creation of a new AWS user.

    cloud aws aws_iam mitre_TA0003-persistence mitre_T1136-create-account
    Create IAM Policy that Allows All

    Detect creation of IAM policy that allows all.

    cloud aws aws_iam
    Deactivate MFA for User Access

    Detect deactivating MFA configuration for user access.

    cloud aws aws_iam
    Delete Group

    Detect deletion of a user group.

    cloud aws aws_iam mitre_TA0040-impact mitre_T1531-account-access-removal
    Delete AWS user

    Detect deletion of an AWS user.

    cloud aws aws_iam
    Put IAM Inline Policy to User

    Detect putting an IAM inline policy to an user.

    cloud aws aws_iam
    Remove AWS User from Group

    Detect removing a user from a group.

    cloud aws aws_iam
    Update Account Password Policy Not Expiring

    Detect updating password policy not expiring at all.

    cloud aws aws_iam
    Update Account Password Policy Expiring in More Than 90 Days

    Detect updating password policy expiring in more than 90 days.

    cloud aws aws_iam
    Update Account Password Policy Not Preventing Reuse of Last 24 Passwords

    Detect updating password policy not preventing reuse of the last 24 passwords.

    cloud aws aws_iam
    Update Account Password Policy Not Preventing Reuse of Last 4 Passwords

    Detect updating password policy not preventing reuse of the last 4 passwords.

    cloud aws aws_iam
    Update Account Password Policy Not Requiring 14 Characters

    Detect updating password policy not requiring a minimum length of 14 characters.

    cloud aws aws_iam
    Update Account Password Policy Not Requiring 7 Characters

    Detect updating password policy not requiring a minimum length of 7 characters.

    cloud aws aws_iam
    Update Account Password Policy Not Requiring Lowercase

    Detect updating password policy not requiring the use of an lowercase letter

    cloud aws aws_iam
    Update Account Password Policy Not Requiring Number

    Detect updating password policy not requiring the use of a number

    cloud aws aws_iam
    Update Account Password Policy Not Requiring Symbol

    Detect updating password policy not requiring the use of a symbol

    cloud aws aws_iam
    Update Account Password Policy Not Requiring Uppercase

    Detect updating password policy not requiring the use of an uppercase letter

    cloud aws aws_iam
    Update Assume Role Policy

    Detect modifying a role.

    cloud aws aws_iam mitre_TA0006-credential-access mitre_T1110-brute-force

    KMS

    Create Customer Master Key

    Detect creation of a new CMK (with rotation disabled).

    cloud aws aws_kms
    Disable CMK Rotation

    Detect disabling of a customer master key's rotation.

    cloud aws aws_kms
    Disable Key

    Detect disabling a customer master key (CMK), thereby preventing its use for cryptographic operations.

    cloud aws aws_kms
    Remove KMS Key Rotation

    Detect removal of KMS key rotation.

    cloud aws aws_kms
    Schedule Key Deletion

    Detect scheduling of the deletion of a customer master key.

    cloud aws aws_kms

    LAMBDA

    Create Lambda Function Not Using Latest Runtime

    Detect creation of a Lambda function not using the latest runtime.

    cloud aws aws_lambda mitre_T1190-exploit-public-facing-application
    Create Lambda Function Using Unsupported Runtime

    Detect creation of a Lambda function using an unsupported runtime.

    cloud aws aws_lambda mitre_T1190-exploit-public-facing-application
    Create Lambda Function

    Detect creation of a Lambda function.

    cloud aws aws_lambda mitre_TA0003-persistence
    Dissociate Lambda Function from VPC

    Detect dissociation of a Lambda function from a VPC.

    cloud aws aws_lambda
    Update Lambda Function Code

    Detect updates to a Lambda function code.

    cloud aws aws_lambda mitre_TA0003-persistence mitre_T1496-resource-hijacking
    Update Lambda Function Configuration

    Detect updates to a Lambda function configuration.

    cloud aws aws_lambda mitre_TA0003-persistence mitre_T1496-resource-hijacking

    RDS

    Authorize DB Security Group Ingress

    Detect enabling ingress to a DBSecurityGroup using one of two forms of authorization.

    cloud aws aws_rds
    Create DB Cluster

    Detect creation of a database cluster.

    cloud aws aws_rds mitre_TA0003-persistence mitre_T1108-redundant-access
    Create DB Security Group

    Detect creation of a database security group.

    cloud aws aws_rds
    Create Global Cluster

    Detect creation of a global cluster.

    cloud aws aws_rds mitre_TA0003-persistence mitre_T1108-redundant-access
    Delete DB Cluster

    Detect deletion of a database cluster.

    cloud aws aws_rds mitre_TA0040-impact mitre_T1485-data-destruction
    Delete DB Security Group

    Detect deletion of a database security group.

    cloud aws aws_rds
    Delete DB Snapshot

    Detect deletion of a database snapshot.

    cloud aws aws_rds mitre_TA0040-impact mitre_T1485-data-destruction
    Make RDS DB Instance Public

    Detect making public an RDS DB instance.

    cloud aws aws_rds
    Make RDS Snapshot Public

    Detect making public an RDS snapshot.

    cloud aws aws_rds
    Modify RDS Snapshot Attribute

    Detect modification of an RDS snapshot attribute.

    cloud aws aws_rds mitre_TA0010-exfitration mitre_T1537-transfer-data-to-cloud-account
    Revoke DB Security Group Ingress

    Detect revocation ingress from a DBSecurityGroup for previously authorized IP ranges or EC2 or VPC Security Groups.

    cloud aws aws_rds
    Stop DB Cluster

    Detect stopping of a database cluster.

    cloud aws aws_rds mitre_TA0040-impact mitre_T1489-service-stop
    Stop DB Instance

    Detect stopping of a database instance.

    cloud aws aws_rds mitre_TA0040-impact mitre_T1489-service-stop

    ROUTE53

    Associate VPC with Hosted Zone

    Detect association of an Amazon VPC with a private hosted zone.

    cloud aws aws_route53
    Change Resource Record Sets

    Detect creation, changes, or deletion of a resource record set.

    cloud aws aws_route53
    Register Domain

    Detect registry of a new domain.

    cloud aws aws_route53

    S3

    Delete Bucket CORS

    Detect deletion of the cors configuration for a bucket.

    cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-host
    Delete Bucket Encryption

    Detect deleting configuration to use encryption for bucket storage.

    cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-host
    Delete Bucket Lifecycle

    Detect deletion of the lifecycle configuration from the specified bucket.

    cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-host
    Delete Bucket Policy

    Detect deletion of the policy of a specified bucket.

    cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-host
    Delete Bucket Public Access Block

    Detect deleting blocking public access to bucket.

    cloud aws aws_s3
    Delete Bucket Replication

    Detect deletion of the replication configuration from the bucket.

    cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-host
    Read Object in Watched Bucket

    Detect a Read operation on objects in watched buckets.

    cloud aws aws_s3
    List Buckets

    Detect listing of all S3 buckets.

    cloud aws aws_s3 mitre_TA0007-discovery mitre_T1083-file-and-directory-discovery
    Put Bucket ACL

    Detect setting the permissions on an existing bucket using access control lists.

    cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-host
    Put Bucket CORS

    Detect setting the cors configuration for a bucket.

    cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-host
    Put Bucket Lifecycle

    Detect creation or modification of a lifecycle configuration for the bucket [DEPRECATED use `Put Bucket Lifecycle Configuration` instead].

    cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-host
    Put Bucket Policy

    Detect applying an Amazon S3 bucket policy to an Amazon S3 bucket.

    cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-host
    Put Bucket Replication

    Detect creation of a replication configuration or the replacement of an existing one..

    cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-host
    Put Object in Watched Bucket

    Detect a Put operation on objects in watched buckets.

    cloud aws aws_s3

    SAGEMAKER

    Create SageMaker Notebook Instance with Direct Internet Access

    Detect creation of a SageMaker notebook instance with direct internet access.

    cloud aws aws_sagemaker

    SECRETSMANAGER

    Get Secret Value

    Detect retrieval of the contents of the encrypted fields SecretString or SecretBinary from the specified version of a secret, whichever contains content.

    cloud aws aws_secretsmanager mitre_TA0006-credential-access mitre_T1528-steal-application-access-token

    SECURITYHUB

    Batch Disable Standards

    Detect disabling of the standards specified by the provided StandardsSubscriptionArns.

    cloud aws aws_securityhub
    Delete Action Target

    Detect deletion of a custom action target from Security Hub.

    cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
    Security Hub Delete Members

    Detect deletion the specified member accounts from Security Hub.

    cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
    Disable Import Findings for Product

    Detect disabling of the integration of the specified product with Security Hub.

    cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
    Disable Security Hub

    Detect disabling the Security Hub in the current region.

    cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
    Security Hub Disassociate From Master Account

    Detect disassociation of the current Security Hub member account from the associated master account.

    cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
    Security Hub Disassociate Members

    Detect disassociation of the current Security Hub member account from the associated master account.

    cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
    Update Action Target

    Detect updating the name and description of a custom action target in Security Hub.

    cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
    Update Standards Control

    Detect enabling or disabling of a standard control.

    cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools

    VPC

    Accept VPC Peering Connection

    Detect accepting an VPC peering connection.

    cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
    Attach Internet Gateway

    Detect attaching an internet gateway.

    cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
    Create a Network ACL Entry Allowing Ingress Open to the World

    Detect creation of access control list entry allowing ingress open to the world.

    cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
    Create a Network ACL Entry

    Detect creating a network ACL entry.

    cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
    Create a Network ACL

    Detect creating a network ACL.

    cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
    Create VPC Route

    Detect creating an VPC route.

    cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
    Create VPC Peering Connection

    Detect creating an VPC peering connection.

    cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
    Create VPC with Default Security Group

    Detect creation of a new VPC with default security group.

    cloud aws aws_vpc
    Create VPC with No Flow Log

    Detect creation of a new VPC with no flow log.

    cloud aws aws_vpc
    Delete VPC Flow Log

    Detect deleting VPC flow log.

    cloud aws aws_vpc mitre_TA0005-defense-evasion mitre_T1066-indicator-removal-from-tools
    Delete a Network ACL Entry

    Detect deletion of a network ACL entry.

    cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
    Delete a Network ACL

    Detect deleting a network ACL.

    cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
    Replace a Network ACL Association

    Detect replacement of a network ACL association.

    cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
    Replace a Network ACL Entry

    Detect replacement of a network ACL entry.

    cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools

    WAF

    Delete WAF Rule Group

    Detect deleting a WAF rule group.

    cloud aws aws_waf mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
    Delete Web ACL

    Detect deleting a web ACL.

    cloud aws aws_waf mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools

    OTHER

    AWS Command Executed by Untrusted User

    Detect AWS command execution by an untrusted user.

    cloud aws
    AWS Command Executed on Unused Region

    Detect AWS command execution on unused regions.

    cloud aws mitre_T1526-cloud-service-discovery mitre_T1535-unused-unsupported-cloud-regions