Detecting suspicious activities within AWS cloud instances
Monitoring your cloud infrastructure logs allows you enable governance, compliance, and risk auditing. In addition to compromising the security of your data, when bad actors leverage your compute resources, it can incur costs since you will be billed for any new instances and increased bandwidth usage.
You need to monitor your cloud instances for behaviors that might indicate that malicious activities are occurring somewhere within your cloud environment.
Data required
How to use Splunk software for this use case
- AWS EC2 snapshot shared externally
- ASL AWS EC2 snapshot shared externally
- AWS exfilration via EC2 snapshot
- AWS S3 exfiltration behavior identified
- AWS AMI attribute modification for exfiltration
- AWS Lambda update function code
- AWS IAM AccessDenied discovery events
- Abnormally high number of cloud instances launched
- Abnormally high number of cloud instances destroyed
- Cloud instance modified by previously unseen user
Next steps
Splunk Enterprise Security provides a number of other searches to help reinforce your cloud security posture, including: