Add T1648, T1556, T1578 and T1606 to AWS IAM #178
Conversation
sergargar
commented
Jun 28, 2023
•
sergargar
commented
- T1648 - Serverless Execution can be protected in AWS IAM by checking for overpermissive permissions in IAM users and/or roles.
- T1578 - Modify Cloud Compute Infrastructure can be protected in AWS IAM by checking for overpermissive permissions in IAM users and/or roles.
- T1556 - Modify Authentication Process can be protected in AWS IAM by enforcing MFA in IAM users.
- T1606 - Forge Web Credentials by limit IAM permissions from calling the sts:GetFederationToken API unless explicitly required, in accordance with least privilege.
- T1580 - Cloud Infrastructure Discovery can be protected in AWS IAM by checking for overpermissive permissions in IAM users and/or roles.
sergargar
changed the title
|
sergargar, thank you for submitting these mappings to our project! I’ll review and get back to you with any questions. |
sergargar
changed the title
|
Kudos, SonarCloud Quality Gate passed!
|
|
Please note that this project was published in 2021 with mappings to ATT&CK for Enterprise v9. So, for example, the mapping to T1648 (created May 2022) would not be included in this repository. We plan to update all mappings to a newer version of ATT&CK this year and will take this under consideration. The remaining techniques you mention have been updated since the project release which may have affected the existing mappings. It does seem that AWS IAM can help prevent the modification of infrastructure components (T1578) or authentication mechanisms and processes (T1556), as well as forged credential materials (T1606) and cloud infrastructure discovery (T1580). We will look to include these in the mapping repository. We are much appreciative of your input and contributions on enhancing this resource! Please let us know if you have any other suggestions or questions. Thanks! |
|
Hi sergargar! We’ll add those techniques when we update these mappings to incorporate a newer version of ATT&CK later this year. |
