Security-Related Queries for AWS

This post has several queries you can run in Sumo Logic to detect potential security issues in your AWS account.

Note: A query will return no results if the problem it's looking for does not exist. No results indicates no problem.

Monitor AWS Root Account Usage

Minimizing the use of the root account is a security best practice, because root has unrestricted access to resources in your AWS account. Run this query to see information about who is running root, and for what purpose.  

_sourceCategory=Labs/AWS/CloudTrail and root
| json "eventType", "eventName", "eventSource", "sourceIPAddress", "userIdentity", "responseElements" nodrop
| json field=userIdentity "type", "arn" nodrop
| where type="Root"
| where !(sourceipaddress matches "*amazonaws*")
| formatDate(_messageTime, "yy-MM-dd HH:mm:ss") as date
| count date, eventname, eventtype, sourceipaddress, type, arn
| sort date

When a problem is detected, the query returns results like this:

Monitor "Permit Any" Ingress Security Groups Created

Security Group Rules act as virtual firewall rules to AWS resources. Every security group has permitted ingress and egress limits. As a best practice, limit access to resources by IP range, protocol and port. Avoid “Permit Any“ rules, which might allow unwanted traffic to come in or go out.

_sourceCategory=Labs/AWS/CloudTrail
// and authorizesecuritygroupingress
// and authorizesecuritygroupegress
| json "requestParameters", "userIdentity"
| json "errorCode" nodrop
| json field=useridentity "type" nodrop
| json field=useridentity "arn" nodrop
| json field=requestParameters "ipPermissions"
| json field=requestParameters "groupId"
| json field=ipPermissions "items[*].ipRanges.items[*].cidrIp" as cidrIp nodrop
| json field=ipPermissions "items[*].ipv6Ranges.items[*].cidrIpv6" as cidrIpv6 nodrop
| json field=ipPermissions "items[*].fromPort" as fromPort nodrop
| json field=ipPermissions "items[*].toPort" as toPort nodrop
| json field=ipPermissions "items[*].ipProtocol" as ipProtocol nodrop
| where (ipProtocol matches "*-1*" or (fromPort="[0]" and toPort="[65535]")) or cidrip matches "0.0.0.0*" or cidripv6 matches "*::*"
| formatDate(_messageTime, "yy-MM-dd HH:mm:ss") as date
| count date, cidrip, fromport, toport, groupid, ipprotocol, arn, type, errorcode

The query returns results like this:

Monitor a User’s Logins from Different IP addresses 

This query helps you identify users that have logged in from more than one IP address over your specified query time range. This can be an indication that credentials have been leaked or phished. 

This query is written for AWS, but can be repurposed for any source that has user login information, for example logs containing logins like Linux or Windows logs, or logs for SaaS Tools like O365, Okta, OneLogin, or SFDC.

_sourceCategory=Labs/AWS/CloudTrail and consolelogin
| json "eventType", "eventName", "eventSource", "sourceIPAddress", "userIdentity", "responseElements", "additionalEventData"
| json field=userIdentity "type", "arn"
| json field=responseElements "ConsoleLogin"
| json field=additionalEventData "MFAUsed", "SamlProviderArn" nodrop
| where consolelogin="Success"
| count arn, sourceipaddress
| sort by arn
| 1 as rownum
| total rownum by arn
| where _total > 1
| fields -_count, rownum