[Update] Amazon GuardDuty Can Now Detect Misuse of Leaked Amazon ECS Credentials
This page has been translated by machine translation. View original
Hello, this is Usuda.
Everyone, are you doing threat detection on AWS? (greeting)
This time, the Amazon GuardDuty findings UnauthorizedAccess:IAMUser/ResourceCredentialExfiltration.OutsideAWS and UnauthorizedAccess:IAMUser/ResourceCredentialExfiltration.InsideAWS have added support for ECS, so let's verify this.
Overview
As usual, the following arrived as a new GuardDuty Findings update.
{
"version": "1",
"type": "NEW_FINDINGS",
"findingDetails": [
{
"findingType": "UnauthorizedAccess:IAMUser/ResourceCredentialExfiltration.OutsideAWS",
"link": "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-resourcecredentialexfiltrationoutsideaws",
"findingDescription": "This finding informs you that a host outside of AWS has attempted to run AWS API operations using temporary AWS credentials that were created on an ECS resource in your AWS environment."
},
{
"findingType": "UnauthorizedAccess:IAMUser/ResourceCredentialExfiltration.InsideAWS",
"link": "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-resourcecredentialexfiltrationinsideaws",
"findingDescription": "This finding informs you that a host within AWS has attempted to run AWS API operations using temporary AWS credentials that were created on an ECS resource in your AWS environment."
}
]
}
The documentation link is here.
It says NEW_FINDINGS, but it's actually an update. (Why is that?)
Previously, this detection type was implemented to detect when AWS Lambda credentials were leaked and used externally.
In addition to EC2 and Lambda credentials, it is now possible to detect when ECS credentials are leaked as well.
OutsideAWS detects cases where execution occurred from outside AWS, and InsideAWS detects cases where execution occurred from a different AWS account.
Tried It Out
This time, I'll trigger UnauthorizedAccess:IAMUser/ResourceCredentialExfiltration.OutsideAWS detection using ECS on Fargate. It should work fine with ECS on EC2, so being able to detect it on Fargate is a great outcome.
First, I ran a task on Fargate, accessed it via ECS Exec, and obtained some credentials. Then I tried using them from an environment outside AWS. Details are omitted.
After waiting a moment, Amazon GuardDuty detected it.

It was properly detected as UnauthorizedAccess:IAMUser/ResourceCredentialExfiltration.OutsideAWS. You can also confirm from the summary that it was executed from an external IP.
Looking at the details, the affected resources include information about the ECS task role. It also shows the launch type as FARGATE, confirming that detection works properly in a Fargate environment!

Additionally, ListUsers is listed as an API executed from outside, and detailed information about the origin is shown.

Using this as a starting point, you can further trace AWS CloudTrail logs to investigate what activities were performed.
Additional Investigation
Normally I would wrap things up here, but Amazon GuardDuty recently added the Amazon GuardDuty Investigation feature as a preview!
This feature allows you to perform additional AI-powered investigation on detected findings! Since it's currently in preview, you can use it for free!
So I tried it out to see how far the investigation could go.
First, I ran the investigation from the Investigation feature by specifying the Finding ID. After a while (6 minutes in this case), the investigation was complete, so let's take a look.
First, the risk level was detected as High. Since credentials were actually leaked, this makes sense.

The summary text is a bit lengthy, but the findings are summarized. Among them:
- CloudTrail logs show execution results from two IPs
- One was from the Tokyo region, and the other was executed from outside with a macOS user agent
- From outside,
iam:ListUsersands3:ListBucketswere executed but both failed - The external execution occurred 3-4 minutes after the internal AWS execution
- Activity within 7 days before and after the incident was investigated for the related access key, cluster, role, session, and attacker's IP address, but no other related events were found
These points are explained in the summary.
It's a bit hard to read, but you can see that it investigated quite thoroughly. The details of what happened and the related attacker activity have already been investigated. Excellent!
Below that, there is information mapped to MITRE ATT&CK,

along with recommendations on how to respond.

This really speeds up investigation and response.
Summary
Amazon GuardDuty now supports detection of credential leaks in ECS.
It's especially great that Fargate is now supported!
Additionally, it was confirmed that the Investigation feature is very powerful. I'd like to continue making active use of it going forward.
