{"name": "aws overview", "versions": {"navigator": "4.8.0", "layer": "4.4", "attack": "16.1"}, "sorting": 3, "description": "aws heatmap overview of aws mappings, scores are the number of associated entries", "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 8, "comment": " Related to: \n \u2022aws_security_hub\n\u2022aws_iot_device_defender\n\u2022amazon_cognito\n\u2022aws_single_sign-on\n\u2022aws_config\n\u2022amazon_guardduty\n\u2022aws_identity_and_access_management\n\u2022aws_organizations", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_cognito"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control provides partial protection for one of this technique's sub-techniques and a few of its procedure examples resulting in an overall Minimal protection score."}, {"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "GuardDuty implements a finding that flags occurrences unattended behavior from an IAM User in the Account.\nPenTest:IAMUser/KaliLinux, PenTest:IAMUser/ParrotLinux, PenTest:IAMUser/PentooLinux, Policy:IAMUser/RootCredentialUsage, PrivilegeEscalation:IAMUser/AdministrativePermissions, UnauthorizedAccess:IAMUser/ConsoleLogin, UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B, UnauthorizedAccess:IAMUser/MaliciousIPCaller, UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom, UnauthorizedAccess:IAMUser/TorIPCaller, Policy:S3/AccountBlockPublicAccessDisabled, Policy:S3/BucketAnonymousAccessGranted, Policy:S3/BucketBlockPublicAccessDisabled, Policy:S3/BucketPublicAccessGranted, CredentialAccess:IAMUser/AnomalousBehavior, DefenseEvasion:IAMUser/AnomalousBehavior, Discovery:IAMUser/AnomalousBehavior, Exfiltration:IAMUser/AnomalousBehavior, Impact:IAMUser/AnomalousBehavior, Persistence:IAMUser/AnomalousBehavior, Recon:IAMUser/MaliciousIPCaller, Recon:IAMUser/MaliciousIPCaller.Custom, UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration"}, {"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control provides significant coverage for one of this technique's sub-techniques, resulting in an overall score of Minimal."}, {"divider": true}, {"name": "control", "value": "aws_identity_and_access_management"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"divider": true}, {"name": "control", "value": "aws_identity_and_access_management"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"divider": true}, {"name": "control", "value": "aws_iot_device_defender"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control provides partial detection capability for one of this technique's sub-techniques and a few of its procedure examples resulting in an overall Minimal protection score."}, {"divider": true}, {"name": "control", "value": "aws_iot_device_defender"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control provides partial protection for one of this technique's sub-techniques and a few of its procedure examples resulting in an overall Minimal protection score."}, {"divider": true}, {"name": "control", "value": "aws_organizations"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control may protect against malicious use of cloud accounts but may not mitigate exploitation of local, domain, or default accounts present within deployed resources."}, {"divider": true}, {"name": "control", "value": "aws_security_hub"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "AWS Security Hub detects suspicious activity by AWS accounts which could indicate valid accounts being leveraged by an adversary. AWS Security Hub provides these detections with the following managed insights.\nAWS principals with suspicious access key activity Credentials that may have leaked AWS resources with unauthorized access attempts IAM users with suspicious activity\nAWS Security Hub also performs checks from the AWS Foundations CIS Benchmark and PCI-DSS security  standard that, if implemented, would help towards detecting the misuse of valid accounts. AWS  Security Hub provides these detections with the following checks.\n3.1 Ensure a log metric filter and alarm exist for unauthorized API calls 3.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA 3.3 Ensure a log metric filter and alarm exist for usage of \"root\" account  3.4 Ensure a log metric filter and alarm exist for IAM policy changes 3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures [PCI.CW.1] A log metric filter and alarm should exist for usage of the \"root\" user\nBy monitoring the root account, activity where accounts make unauthorized API calls, and changes to IAM permissions among other things, it may be possible to detect valid accounts that  are being misused and are potentially compromised.\nThis is scored as Minimal because it only supports a subset of the sub-techniques. "}, {"divider": true}, {"name": "control", "value": "aws_single_sign-on"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}]}, {"techniqueID": "T1078.004", "score": 8, "comment": " Related to: \n \u2022aws_security_hub\n\u2022aws_iot_device_defender\n\u2022amazon_cognito\n\u2022aws_single_sign-on\n\u2022aws_config\n\u2022amazon_guardduty\n\u2022aws_identity_and_access_management\n\u2022aws_organizations", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_cognito"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Amazon Cognito has the ability to alert and block accounts where credentials were found to be compromised elsewhere (compromised credential protection). The service also detects unusual sign-in activity, such as sign-in attempts from new locations and devices and can either prompt users for additional verification or block the sign-in request.  There was insufficient detail on the operation of these capabilities and therefore a conservative assessment of a Partial score has been assigned."}, {"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Listed findings above flag instances where there are indications of account compromise."}, {"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure multi-factor authentication (MFA) is enabled properly, which can provide protection against attempted misuse of cloud accounts: \"iam-user-mfa-enabled\", \"mfa-enabled-for-iam-console-access\", \"root-account-hardware-mfa-enabled\", and \"root-account-mfa-enabled\". All of these controls are run periodically.\nThe following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that appropriate AWS Identity and Access Management (IAM) policies are in place to enforce fine-grained access policies and mitigate the impact of compromised valid accounts: \"iam-customer-policy-blocked-kms-actions\", \"iam-inline-policy-blocked-kms-actions\", \"iam-no-inline-policy-check\", \"iam-group-has-users-check\", \"iam-policy-blacklisted-check\", \"iam-policy-no-statements-with-admin-access\", \"iam-policy-no-statements-with-full-access\", \"iam-role-managed-policy-check\", \"iam-user-group-membership-check\", \"iam-user-no-policies-check\", and \"ec2-instance-profile-attached\" are run on configuration changes. \"iam-password-policy\", \"iam-policy-in-use\", \"iam-root-access-key-check\", \"iam-user-mfa-enabled\", \"iam-user-unused-credentials-check\", and \"mfa-enabled-for-iam-console-access\" are run periodically. The \"access-keys-rotated\" managed rule ensures that IAM access keys are rotated at an appropriate rate.\nGiven that these rules provide robust coverage for a variety of IAM configuration problems and most are evaluated on configuration changes, they result in an overall score of Significant."}, {"divider": true}, {"name": "control", "value": "aws_identity_and_access_management"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control may mitigate the impact of compromised valid accounts by enabling fine-grained access policies and implementing least-privilege policies. MFA  can provide protection against an adversary that obtains valid credentials by requiring the adversary to complete an additional authentication process before access is permitted."}, {"divider": true}, {"name": "control", "value": "aws_identity_and_access_management"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The Access Analyzer tool may detect when an external entity has been granted access to cloud resources through use of access policies. This tool will scan upon any change to access policies or periodically within 24 hours."}, {"divider": true}, {"name": "control", "value": "aws_iot_device_defender"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following AWS IoT Device Defender audit checks can identify potentially malicious use of valid cloud credentials by AWS IoT devices, which may indicate that devices have been compromised: \"CA certificate revoked but device certificates still active\" (\"REVOKED_CA_CERTIFICATE_STILL_ACTIVE_CHECK\" in the CLI and API) indicates that device certificates signed using a revoked CA certificate are still active, which may indicate that devices using those certificates are controlled by an adversary if the CA certificate was revoked due to compromise. \"Device certificate shared\" (\"DEVICE_CERTIFICATE_SHARED_CHECK\" in the CLI and API), \"Revoked device certificate still active\" (\"REVOKED_DEVICE_CERTIFICATE_STILL_ACTIVE_CHECK\" in the CLI and API), and \"Conflicting MQTT client IDs\" (\"CONFLICTING_CLIENT_IDS_CHECK\" in the CLI and API) can indicate that devices are in use with duplicate certificates and/or IDs and/or certificates that have been revoked due to compromise, all of which suggest that an adversary may be using clones of compromised devices to leverage their access.\nThe following AWS IoT Device Defender cloud-side detection metrics can identify potentially malicious use of valid cloud credentials by IoT devices, which may indicate that devices have been compromised: \"Source IP\" (\"aws:source-ip-address\") values outside of expected IP address ranges may suggest that a device has been stolen. \"Authorization failures\" (\"aws:num-authorization-failures\") counts above a typical threshold may indicate that a compromised device is attempting to use its connection to AWS IoT to access resources for which it does not have access and being denied. High counts for \"Disconnects\" (\"aws:num-disconnects\"), especially in conjunction with high counts for \"Connection attempts\" (\"aws:num-connection-attempts\"), which include successful attempts, may indicate that a compromised device is connecting and disconnecting from AWS IoT using the device's associated access.\nCoverage factor is partial for these metrics, checks, and mitigations, since they are specific to use of cloud accounts for AWS IoT access and actions, resulting in an overall score of Partial."}, {"divider": true}, {"name": "control", "value": "aws_iot_device_defender"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following AWS IoT Device Defender audit checks and corresponding mitigation actions can identify and in some cases resolve configuration problems that should be fixed in order to limit the potential impact of compromised accounts with access to AWS IoT resources: The \"Authenticated Cognito role overly permissive\" (\"AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK\" in the CLI and API) audit check can identify policies which grant excessive privileges and permissions for AWS IoT actions to Amazon Cognito identity pool roles. The \"Unauthenticated Cognito role overly permissive\" (\"UNAUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK\" in the CLI and API) audit check can identify policies which grant excessive privileges and permissions for AWS IoT actions to Amazon Cognito identity pool roles and do not require authentication, which pose a substantial risk because they can be trivially accessed. The \"AWS IoT policies overly permissive\" (\"IOT_POLICY_OVERLY_PERMISSIVE_CHECK\" in the CLI and API) audit check can identify AWS IoT policies which grant excessive privileges and permissions for AWS IoT actions and supports the \"REPLACE_DEFAULT_POLICY_VERSION\" mitigation action which can reduce permissions to limit potential misuse. The \"Role alias allows access to unused services\" (\"IOT_ROLE_ALIAS_ALLOWS_ACCESS_TO_UNUSED_SERVICES_CHECK\" in the CLI and API) and \"Role alias overly permissive\" (\"IOT_ROLE_ALIAS_OVERLY_PERMISSIVE_CHECK\" in the CLI and API) audit checks can identify AWS IoT role aliases which allow connected devices to authenticate using their certificates and obtain short-lived AWS credentials from an associated IAM role which grant permissions and privileges beyond those necessary to the devices' functions and should be fixed in order to prevent further account compromise from compromised devices.\nCoverage factor is partial for these checks and mitigations, since they are specific to use of cloud accounts for AWS IoT access and actions, resulting in an overall score of Partial."}, {"divider": true}, {"name": "control", "value": "aws_organizations"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "This control may protect against malicious use of cloud accounts by implementing service control policies that define what actions an account may take. If best practices are followed, AWS accounts should only have the least amount of privileges required."}, {"divider": true}, {"name": "control", "value": "aws_security_hub"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS Security Hub detects suspicious activity by AWS accounts which could indicate valid accounts being leveraged by an adversary. AWS Security Hub provides these detections with the following managed insights.\nAWS principals with suspicious access key activity Credentials that may have leaked AWS resources with unauthorized access attempts IAM users with suspicious activity\nAWS Security Hub also performs checks from the AWS Foundations CIS Benchmark and PCI-DSS security  standard that, if implemented, would help towards detecting the misuse of valid accounts.  AWS Security Hub provides these detections with the following checks.\n3.1 Ensure a log metric filter and alarm exist for unauthorized API calls 3.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA 3.3 Ensure a log metric filter and alarm exist for usage of \"root\" account  3.4 Ensure a log metric filter and alarm exist for IAM policy changes 3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures [PCI.CW.1] A log metric filter and alarm should exist for usage of the \"root\" user\nBy monitoring the root account, activity where accounts make unauthorized API calls, and  changes to IAM permissions among other things, it may be possible to detect valid accounts that  are being misused and are potentially compromised.\nThis is scored as Significant because it reports on suspicious activity by AWS accounts. "}, {"divider": true}, {"name": "control", "value": "aws_single_sign-on"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control may protect against malicious use of valid accounts by implementing fine grained and least privilege access through use of permission sets (a collection of administrator-defined policies that AWS SSO uses to determine a user's effective permissions to access a given AWS account). The ability to reduce the set of credentials and accounts needed for a user allows for simpler and safer access and privilege management."}]}, {"techniqueID": "T1110", "score": 7, "comment": " Related to: \n \u2022aws_security_hub\n\u2022amazon_cognito\n\u2022aws_single_sign-on\n\u2022amazon_inspector\n\u2022aws_config\n\u2022amazon_guardduty\n\u2022aws_identity_and_access_management", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_cognito"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Amazon Cognito's MFA capability provides significant protection against password compromises, requiring the adversary to complete an additional authentication method before their access is permitted."}, {"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Finding types such as UnauthorizedAccess:EC2/RDPBruteForce, UnauthorizedAccess:EC2/SSHBruteForce, Impact:EC2/WinRMBruteForce, and Stealth:IAMUser/PasswordPolicyChange can detect when an EC2 instance may be involved in a brute force attack aimed at obtaining passwords.  Due to the detection being limited to a specific set of application protocols, its coverage is Minimal resulting in a Minimal score."}, {"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The Amazon Inspector Best Practices assessment package can detect security control settings related to authentication and password policies on Linux endpoints. Specific security controls it can assess include \"Disable password authentication over SSH\", \"Configure password maximum age\", \"Configure password minimum length\", and \"Configure password complexity\" all of which impact the ability to brute force a password. This information can be used identify insecure configurations and harden the endpoints. Amazon Inspector does not directly protect against brute force attacks. Given Amazon Inspector can only assess these security controls on Linux platforms (although it also supports Windows), the coverage score is Minimal leading to an overall Minimal score."}, {"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "This control provides significant coverage for all of this technique's sub-techniques, resulting in an overall score of Significant."}, {"divider": true}, {"name": "control", "value": "aws_identity_and_access_management"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"divider": true}, {"name": "control", "value": "aws_security_hub"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "AWS Security Hub performs a check from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting the brute forcing of accounts. AWS Security Hub provides this detection with the following checks.\n3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures\nThis is scored as Minimal because it only applies to the AWS Management Console and not other access mechanisms (e.g., CLI, SDK, etc.) and it only supports a subset of the sub-techniques. Furthermore, it does not detect brute-forcing methods for other components such as EC2 instances. "}, {"divider": true}, {"name": "control", "value": "aws_single_sign-on"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control may not provide any mitigation against password cracking."}]}, {"techniqueID": "T1110.001", "score": 7, "comment": " Related to: \n \u2022aws_security_hub\n\u2022amazon_cognito\n\u2022aws_single_sign-on\n\u2022amazon_inspector\n\u2022aws_config\n\u2022amazon_guardduty\n\u2022aws_identity_and_access_management", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_cognito"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "MFA can significantly reduce the impact of a password compromise, requiring the adversary to complete an additional authentication method before their access is permitted."}, {"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Due to the detection being limited to a specific set of application protocols, its coverage is Minimal resulting in a Minimal score."}, {"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The Amazon Inspector Best Practices assessment package can detect security control settings related to authentication and password policies on Linux endpoints. Specific security controls it can assess include \"Disable password authentication over SSH\", \"Configure password maximum age\", \"Configure password minimum length\", and \"Configure password complexity\" all of which impact the ability to brute force a password. This information can be used identify insecure configurations and harden the endpoints. Amazon Inspector does not directly protect against brute force attacks. Given Amazon Inspector can only assess these security controls on Linux platforms (although it also supports Windows), the coverage score is Minimal leading to an overall Minimal score."}, {"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure multi-factor authentication (MFA) is enabled properly, which can significantly impede brute force authentication attempts by requiring adversaries to provide a second form of authentication even if they succeed in brute forcing a password via one of these sub-techniques: \"iam-user-mfa-enabled\", \"mfa-enabled-for-iam-console-access\", \"root-account-hardware-mfa-enabled\", and \"root-account-mfa-enabled\".\nThe \"iam-password-policy\" managed rule can identify insufficient password requirements that should be fixed in order to make brute force authentication more difficult by increasing the complexity of user passwords and decreasing the amount of time before they are rotated, giving adversaries less time to brute force passwords and making it more time consuming and resource intensive to do so. This is especially important in the case of Password Cracking, since adversaries in possession of password hashes may be able to recover usable credentials more quickly and do so without generating detectable noise via invalid login attempts.\nAll of these controls are run periodically, but implemented policies are enforced continuously once set and coverage factor is significant, resulting in an overall score of Significant."}, {"divider": true}, {"name": "control", "value": "aws_identity_and_access_management"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "This control may mitigate brute force attacks by enforcing multi-factor authentication, enforcing strong password policies, and rotating credentials periodically. These recommendations are IAM best practices but must be explicitly implemented by a cloud administrator."}, {"divider": true}, {"name": "control", "value": "aws_security_hub"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "AWS Security Hub performs a check from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting the brute forcing of accounts. AWS Security Hub provides this detection with the following checks.\n3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures\nThis is scored as Minimal because it only applies to the AWS Management Console and not other access  mechanisms (e.g., CLI, SDK, etc.). Furthermore, it does not detect brute-forcing methods for other  components such as EC2 instances. "}, {"divider": true}, {"name": "control", "value": "aws_single_sign-on"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "This control may protect against brute force techniques by enabling multi-factor authentication. All accounts that can be replace with single sign-on can benefit from a unified multi-factor authentication requirement."}]}, {"techniqueID": "T1110.002", "score": 3, "comment": " Related to: \n \u2022amazon_inspector\n\u2022aws_config\n\u2022amazon_cognito", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_cognito"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "MFA can significantly reduce the impact of a password compromise, requiring the adversary to complete an additional authentication method before their access is permitted."}, {"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The Amazon Inspector Best Practices assessment package can detect security control settings related to authentication and password policies on Linux endpoints. Specific security controls it can assess include \"Disable password authentication over SSH\", \"Configure password maximum age\", \"Configure password minimum length\", and \"Configure password complexity\" all of which impact the ability to brute force a password. This information can be used identify insecure configurations and harden the endpoints. Amazon Inspector does not directly protect against brute force attacks. Given Amazon Inspector can only assess these security controls on Linux platforms (although it also supports Windows), the coverage score is Minimal leading to an overall Minimal score."}, {"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure multi-factor authentication (MFA) is enabled properly, which can significantly impede brute force authentication attempts by requiring adversaries to provide a second form of authentication even if they succeed in brute forcing a password via one of these sub-techniques: \"iam-user-mfa-enabled\", \"mfa-enabled-for-iam-console-access\", \"root-account-hardware-mfa-enabled\", and \"root-account-mfa-enabled\".\nThe \"iam-password-policy\" managed rule can identify insufficient password requirements that should be fixed in order to make brute force authentication more difficult by increasing the complexity of user passwords and decreasing the amount of time before they are rotated, giving adversaries less time to brute force passwords and making it more time consuming and resource intensive to do so. This is especially important in the case of Password Cracking, since adversaries in possession of password hashes may be able to recover usable credentials more quickly and do so without generating detectable noise via invalid login attempts.\nAll of these controls are run periodically, but implemented policies are enforced continuously once set and coverage factor is significant, resulting in an overall score of Significant."}]}, {"techniqueID": "T1110.003", "score": 7, "comment": " Related to: \n \u2022aws_security_hub\n\u2022amazon_cognito\n\u2022aws_single_sign-on\n\u2022amazon_inspector\n\u2022aws_config\n\u2022amazon_guardduty\n\u2022aws_identity_and_access_management", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_cognito"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "MFA can significantly reduce the impact of a password compromise, requiring the adversary to complete an additional authentication method before their access is permitted."}, {"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Due to the detection being limited to a specific set of application protocols, its coverage is Minimal resulting in a Minimal score."}, {"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The Amazon Inspector Best Practices assessment package can detect security control settings related to authentication and password policies on Linux endpoints. Specific security controls it can assess include \"Disable password authentication over SSH\", \"Configure password maximum age\", \"Configure password minimum length\", and \"Configure password complexity\" all of which impact the ability to brute force a password. This information can be used identify insecure configurations and harden the endpoints. Amazon Inspector does not directly protect against brute force attacks. Given Amazon Inspector can only assess these security controls on Linux platforms (although it also supports Windows), the coverage score is Minimal leading to an overall Minimal score."}, {"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure multi-factor authentication (MFA) is enabled properly, which can significantly impede brute force authentication attempts by requiring adversaries to provide a second form of authentication even if they succeed in brute forcing a password via one of these sub-techniques: \"iam-user-mfa-enabled\", \"mfa-enabled-for-iam-console-access\", \"root-account-hardware-mfa-enabled\", and \"root-account-mfa-enabled\".\nThe \"iam-password-policy\" managed rule can identify insufficient password requirements that should be fixed in order to make brute force authentication more difficult by increasing the complexity of user passwords and decreasing the amount of time before they are rotated, giving adversaries less time to brute force passwords and making it more time consuming and resource intensive to do so. This is especially important in the case of Password Cracking, since adversaries in possession of password hashes may be able to recover usable credentials more quickly and do so without generating detectable noise via invalid login attempts.\nAll of these controls are run periodically, but implemented policies are enforced continuously once set and coverage factor is significant, resulting in an overall score of Significant."}, {"divider": true}, {"name": "control", "value": "aws_identity_and_access_management"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "This control may mitigate brute force attacks by enforcing multi-factor authentication, enforcing strong password policies, and rotating credentials periodically. These recommendations are IAM best practices but must be explicitly implemented by a cloud administrator."}, {"divider": true}, {"name": "control", "value": "aws_security_hub"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "AWS Security Hub performs a check from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting the brute forcing of accounts. AWS Security Hub provides this detection with the following checks.\n3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures\nThis is scored as Minimal because it only applies to the AWS Management Console and not other access  mechanisms (e.g., CLI, SDK, etc.). Furthermore, it does not detect brute-forcing methods for other  components such as EC2 instances. "}, {"divider": true}, {"name": "control", "value": "aws_single_sign-on"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "This control may protect against brute force techniques by enabling multi-factor authentication. All accounts that can be replace with single sign-on can benefit from a unified multi-factor authentication requirement."}]}, {"techniqueID": "T1110.004", "score": 7, "comment": " Related to: \n \u2022aws_security_hub\n\u2022amazon_cognito\n\u2022aws_single_sign-on\n\u2022amazon_inspector\n\u2022aws_config\n\u2022amazon_guardduty\n\u2022aws_identity_and_access_management", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_cognito"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "MFA can significantly reduce the impact of a password compromise, requiring the adversary to complete an additional authentication method before their access is permitted."}, {"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Due to the detection being limited to a specific set of application protocols, its coverage is Minimal resulting in a Minimal score."}, {"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The Amazon Inspector Best Practices assessment package can detect security control settings related to authentication and password policies on Linux endpoints. Specific security controls it can assess include \"Disable password authentication over SSH\", \"Configure password maximum age\", \"Configure password minimum length\", and \"Configure password complexity\" all of which impact the ability to brute force a password. This information can be used identify insecure configurations and harden the endpoints. Amazon Inspector does not directly protect against brute force attacks. Given Amazon Inspector can only assess these security controls on Linux platforms (although it also supports Windows), the coverage score is Minimal leading to an overall Minimal score."}, {"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure multi-factor authentication (MFA) is enabled properly, which can significantly impede brute force authentication attempts by requiring adversaries to provide a second form of authentication even if they succeed in brute forcing a password via one of these sub-techniques: \"iam-user-mfa-enabled\", \"mfa-enabled-for-iam-console-access\", \"root-account-hardware-mfa-enabled\", and \"root-account-mfa-enabled\".\nThe \"iam-password-policy\" managed rule can identify insufficient password requirements that should be fixed in order to make brute force authentication more difficult by increasing the complexity of user passwords and decreasing the amount of time before they are rotated, giving adversaries less time to brute force passwords and making it more time consuming and resource intensive to do so. This is especially important in the case of Password Cracking, since adversaries in possession of password hashes may be able to recover usable credentials more quickly and do so without generating detectable noise via invalid login attempts.\nAll of these controls are run periodically, but implemented policies are enforced continuously once set and coverage factor is significant, resulting in an overall score of Significant."}, {"divider": true}, {"name": "control", "value": "aws_identity_and_access_management"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "This control may mitigate brute force attacks by enforcing multi-factor authentication, enforcing strong password policies, and rotating credentials periodically. These recommendations are IAM best practices but must be explicitly implemented by a cloud administrator."}, {"divider": true}, {"name": "control", "value": "aws_security_hub"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "AWS Security Hub performs a check from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting the brute forcing of accounts. AWS Security Hub provides this detection with the following checks.\n3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures\nThis is scored as Minimal because it only applies to the AWS Management Console and not other access  mechanisms (e.g., CLI, SDK, etc.). Furthermore, it does not detect brute-forcing methods for other  components such as EC2 instances. "}, {"divider": true}, {"name": "control", "value": "aws_single_sign-on"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "This control may protect against brute force techniques by enabling multi-factor authentication. All accounts that can be replace with single sign-on can benefit from a unified multi-factor authentication requirement."}]}, {"techniqueID": "T1020", "score": 3, "comment": " Related to: \n \u2022aws_iot_device_defender\n\u2022aws_config\n\u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following GuardDuty finding type flags events that may indicate adversaries attempting to exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.\nBehavior:EC2/TrafficVolumeUnusual Exfiltration:S3/MaliciousIPCaller Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller"}, {"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control provides partial coverage for this technique's only sub-technique, but without specific coverage for its procedures, resulting in an overall score of Minimal."}, {"divider": true}, {"name": "control", "value": "aws_iot_device_defender"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control provides partial coverage for this technique's only sub-technique, but without specific coverage for its procedures, resulting in an overall score of Minimal."}]}, {"techniqueID": "T1021.008", "score": 1, "comment": " Related to: \n \u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "GuardDuty findings including UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B can aid in detection of this technique."}]}, {"techniqueID": "T1029", "score": 1, "comment": " Related to: \n \u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The following GuardDuty finding type flags events that may indicate adversaries attempting to exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.\nBehavior:EC2/TrafficVolumeUnusual\nAccuracy and Coverage is unknown, as this finding flags traffic volume that differs from a baseline."}]}, {"techniqueID": "T1041", "score": 3, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022aws_iot_device_defender\n\u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The following GuardDuty finding type flags events that may indicate adversaries attempting to exfiltrate data, such as sensitive documents.\nBehavior:EC2/TrafficVolumeUnusual\nAccuracy and Coverage is unknown, as this finding flags traffic volume that differs from a baseline."}, {"divider": true}, {"name": "control", "value": "aws_iot_device_defender"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following AWS IoT Device Defender device-side detection metrics can detect indicators that an adversary may be exfiltrating collected data from compromised AWS IoT devices using an established command and control channel to/from those devices: \"Destination IPs\" (\"aws:destination-ip-addresses\") outside of expected IP address ranges may suggest that a device is communicating with unexpected parties. \"Bytes in\" (\"aws:all-bytes-in\"), \"Bytes out\" (\"aws:all-bytes-out\"), \"Packets in\" (\"aws:all-packets-in\"), and \"Packets out\" (\"aws:all-packets-out\") values outside of expected norms may indicate that the device is sending and/or receiving non-standard traffic, which may include exfiltration of stolen data. \"Listening TCP ports\" (\"aws:listening-tcp-ports\"), \"Listening TCP port count\" (\"aws:num-listening-tcp-ports\"), \"Established TCP connections count\" (\"aws:num-established-tcp-connections\"), \"Listening UDP ports\" (\"aws:listening-udp-ports\"), and \"Listening UDP port count\" (\"aws:num-listening-udp-ports\") values outside of expected norms may indicate that devices are communicating via unexpected ports/protocols, which may include exfiltration of data over command and control channels.\nCoverage factor is partial, since these metrics are limited to exfiltration from IoT devices, resulting in an overall score of Partial."}, {"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from accessing resources from which to exfiltrate data as well as prevent resources from communicating with known-bad IP addresses and domains that might be used to receive exfiltrated data. This mapping is given a score of Partial because the known-bad IP addresses and domains would need to be known in advance. "}]}, {"techniqueID": "T1046", "score": 6, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022amazon_virtual_private_cloud\n\u2022aws_iot_device_defender\n\u2022amazon_inspector\n\u2022amazon_guardduty\n\u2022aws_web_application_firewall", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following GuardDuty finding types reflect flagged events where there is an attempt to get a list of services running on a remote host.\nRecon:EC2/PortProbeEMRUnprotectedPort Recon:EC2/PortProbeUnprotectedPort Recon:EC2/Portscan Impact:EC2/PortSweep"}, {"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The Amazon Inspector Network Reachability assessment package can assess whether or not cloud/network components are vulnerable (e.g., publicly accessible from the Internet). Amazon Inspector does not directly protect cloud/network components rather reports on vulnerabilities that it identifies which can then be used to securely configure the cloud/network components. Due to this, the score is capped at Partial. "}, {"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "VPC security groups and network access control lists (NACLs) can filter both internal and external network traffic and therefore, can mitigate unauthorized network service scanning."}, {"divider": true}, {"name": "control", "value": "aws_iot_device_defender"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following AWS IoT Device Defender device-side detection metrics can detect indicators that an adversary may be leveraging compromised AWS IoT devices to search their networks for other hosts and their running services, possibly to subsequently carry out lateral movement techniques: \"Destination IPs\" (\"aws:destination-ip-addresses\") outside of expected IP address ranges may suggest that a device is communicating with unexpected devices. \"Bytes in\" (\"aws:all-bytes-in\"), \"Bytes out\" (\"aws:all-bytes-out\"), \"Packets in\" (\"aws:all-packets-in\"), and \"Packets out\" (\"aws:all-packets-out\") values outside of expected norms may indicate that the device is sending and/or receiving non-standard traffic, which may traffic used to discover other hosts/services. \"Listening TCP ports\" (\"aws:listening-tcp-ports\"), \"Listening TCP port count\" (\"aws:num-listening-tcp-ports\"), \"Established TCP connections count\" (\"aws:num-established-tcp-connections\"), \"Listening UDP ports\" (\"aws:listening-udp-ports\"), and \"Listening UDP port count\" (\"aws:num-listening-udp-ports\") values outside of expected norms may indicate that devices are communicating via unexpected ports/protocols that may suggest scanning is taking place.\nCoverage factor is partial, since these metrics are limited to IoT device communication and detection is only based on network traffic, resulting in an overall score of Partial."}, {"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against network service scanning. This mapping is given a score of Partial because it only protects against network service scanning attacks that originate from outside the firewall and not from within network protected by the firewall. "}, {"divider": true}, {"name": "control", "value": "aws_web_application_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS WAF protects against bots that run scans against web applications such as Nessus (vulnerability assessments) and Nmap (IP address and port scans) among others. AWS WAF does this by blocking malicious traffic that indicate bad bots such as those listed above (e.g., via User-Agent values). AWS WAF uses the following rule sets to provide this protection.\nAWSManagedRulesCommonRuleSet  AWSManagedRulesBotControlRuleSet\nThis is scored as Partial because the rule sets, while they block malicious traffic  in near real-time, only protect web applications against scans performed by bots."}]}, {"techniqueID": "T1048", "score": 4, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022amazon_virtual_private_cloud\n\u2022aws_iot_device_defender\n\u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following GuardDuty finding type flags events where adversaries may steal data by exfiltrating it over a different protocol than that of the existing command-and-control channel.\nTrojan:EC2/DNSDataExfiltration Behavior:EC2/TrafficVolumeUnusual"}, {"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "VPC security groups and network access control lists (NACLs) can limit access to external hosts and can therefore provide mitigation of this technique.  For environments where Internet access is required, these controls can be used to block known malicious addresses.  Because this latter protection is limited to known malicious endpoints, it provides Partial coverage resulting in an overall Partial score."}, {"divider": true}, {"name": "control", "value": "aws_iot_device_defender"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control provides partial coverage for this technique and all of its sub-techniques, resulting in an overall score of Partial."}, {"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from accessing resources from which to exfiltrate data as well as prevent resources from communicating with known-bad IP addresses and domains that might be used to receive exfiltrated data. This mapping is given a score of Partial because the known-bad IP addresses and domains would need to be known in advance and AWS Network Firewall wouldn't have deep packet inspection visibility into encrypted non-C2 protocols. "}]}, {"techniqueID": "T1048.003", "score": 4, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022amazon_virtual_private_cloud\n\u2022aws_iot_device_defender\n\u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following GuardDuty finding type flags events where adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel.\nTrojan:EC2/DNSDataExfiltration Behavior:EC2/TrafficVolumeUnusual"}, {"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "VPC security groups and network access control lists (NACLs) can limit access to the minimum required ports and therefore protect against adversaries attempting to exfiltrate data using a different protocol than that of the existing command and control channel.  In environments where unrestricted Internet access is required, security groups and NACLs can still be used to block known malicious endpoints.  Because in such environments the protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score."}, {"divider": true}, {"name": "control", "value": "aws_iot_device_defender"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following AWS IoT Device Defender device-side detection metrics can detect indicators that an adversary may be exfiltrating collected data from compromised AWS IoT devices over a given channel to/from those devices: \"Destination IPs\" (\"aws:destination-ip-addresses\") outside of expected IP address ranges may suggest that a device is communicating with unexpected parties. \"Bytes in\" (\"aws:all-bytes-in\"), \"Bytes out\" (\"aws:all-bytes-out\"), \"Packets in\" (\"aws:all-packets-in\"), and \"Packets out\" (\"aws:all-packets-out\") values outside of expected norms may indicate that the device is sending and/or receiving non-standard traffic, which may include exfiltration of stolen data. \"Listening TCP ports\" (\"aws:listening-tcp-ports\"), \"Listening TCP port count\" (\"aws:num-listening-tcp-ports\"), \"Established TCP connections count\" (\"aws:num-established-tcp-connections\"), \"Listening UDP ports\" (\"aws:listening-udp-ports\"), and \"Listening UDP port count\" (\"aws:num-listening-udp-ports\") values outside of expected norms may indicate that devices are communicating via unexpected ports/protocols, which may include exfiltration of data over those ports/protocols.\nCoverage factor is partial, since these metrics are limited to exfiltration from IoT devices, resulting in an overall score of Partial."}, {"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from accessing resources from which to exfiltrate data as well as prevent resources from communicating with known-bad IP addresses and domains that might be used to receive exfiltrated data. This mapping is given a score of Partial because the known-bad IP addresses and domains would need to be known in advance and AWS Network Firewall wouldn't have deep packet inspection visibility into encrypted non-C2 protocols. "}]}, {"techniqueID": "T1059.009", "score": 1, "comment": " Related to: \n \u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The GuardDuty finding Impact:IAMUser/AnomalousBehavior can aid in the detection of abuse of AWS APIs."}]}, {"techniqueID": "T1071", "score": 4, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022aws_iot_device_defender\n\u2022aws_web_application_firewall\n\u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "GuardDuty flags events matching the following finding types that relate to adversaries attempting to communicate using application layer protocols to avoid detection.\nUnauthorizedAccess:EC2/MaliciousIPCaller.Custom Trojan:EC2/DropPoint!DNS Trojan:EC2/DropPoint Backdoor:EC2/C&CActivity.B!DNS Trojan:EC2/BlackholeTraffic Trojan:EC2/BlackholeTraffic!DNS\n"}, {"divider": true}, {"name": "control", "value": "aws_iot_device_defender"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The following AWS IoT Device Defender cloud-side detection metrics can detect indicators that an adversary may be leveraging compromised AWS IoT devices and application layer protocols - especially the Message Queuing Telemetry Transport (MQTT) protocol - to communicate for command and control purposes: \"Source IP\" (\"aws:source-ip-address\") values outside of expected IP address ranges may suggest that a device has been stolen. \"Messages sent\" (\"aws:num-messages-sent\"), \"Messages received\" (\"aws:num-messages-received\"), and \"Message size\" (\"aws:message-byte-size\") values outside of expected norms may indicate that devices are sending and/or receiving non-standard traffic, which may include command and control traffic.\nThe following AWS IoT Device Defender device-side detection metrics can detect indicators that an adversary may be leveraging compromised AWS IoT devices and application layer protocols - especially the Message Queuing Telemetry Transport (MQTT) protocol - to communicate for command and control purposes: \"Destination IPs\" (\"aws:destination-ip-addresses\") outside of expected IP address ranges may suggest that a device is communicating with unexpected parties. \"Bytes in\" (\"aws:all-bytes-in\"), \"Bytes out\" (\"aws:all-bytes-out\"), \"Packets in\" (\"aws:all-packets-in\"), and \"Packets out\" (\"aws:all-packets-out\") values outside of expected norms may indicate that the device is sending and/or receiving non-standard traffic, which may include command and control traffic. \"Listening TCP ports\" (\"aws:listening-tcp-ports\"), \"Listening TCP port count\" (\"aws:num-listening-tcp-ports\"), \"Established TCP connections count\" (\"aws:num-established-tcp-connections\"), \"Listening UDP ports\" (\"aws:listening-udp-ports\"), and \"Listening UDP port count\" (\"aws:num-listening-udp-ports\") values outside of expected norms may indicate that devices are communicating via unexpected ports/protocols that may suggest application layer command and control traffic.\nCoverage factor is minimal, since these metrics are limited to IoT device communication and none of this technique's sub-techniques are addressed, resulting in an overall score of Minimal."}, {"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block malicious or unwanted traffic leveraging application layer protocols. Given this supports all sub-techniques, the mapping is given a score of Significant."}, {"divider": true}, {"name": "control", "value": "aws_web_application_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "AWS WAF protects against this by inspecting incoming requests and blocking malicious traffic. AWS WAF uses the following rule sets to provide this protection.\nAWSManagedRulesCommonRuleSet  AWSManagedRulesAdminProtectionRuleSet AWSManagedRulesKnownBadInputsRuleSet  AWSManagedRulesSQLiRuleSet AWSManagedRulesLinuxRuleSet  AWSManagedRulesUnixRuleSet  AWSManagedRulesWindowsRuleSet AWSManagedRulesPHPRuleSet  AWSManagedRulesWordPressRuleSet  AWSManagedRulesBotControlRuleSet\nThis is scored as Minimal because the rule sets only protect against a subset of the sub-techniques (1 of 4)."}]}, {"techniqueID": "T1071.001", "score": 3, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022aws_web_application_firewall\n\u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "GuardDuty flags events matching the following finding types that relate to adversaries attempting to communicate using application layer protocols to avoid detection.\nUnauthorizedAccess:EC2/MaliciousIPCaller.Custom Backdoor:EC2/C&CActivity.B Backdoor:EC2/C&CActivity.B!DNS Trojan:EC2/BlackholeTraffic Trojan:EC2/BlackholeTraffic!DNS Trojan:EC2/DropPoint Trojan:EC2/DropPoint!DNS Backdoor:EC2/C&CActivity.B Impact:EC2/MaliciousDomainRequest.Reputation Impact:EC2/SuspiciousDomainRequest.Reputation"}, {"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block malicious or unwanted traffic leveraging application layer protocols. As a result, this mapping is given a score of Significant."}, {"divider": true}, {"name": "control", "value": "aws_web_application_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "AWS WAF protects against this by inspecting incoming requests and blocking malicious traffic. AWS WAF uses the following rule sets to provide this protection.\nAWSManagedRulesCommonRuleSet  AWSManagedRulesAdminProtectionRuleSet AWSManagedRulesKnownBadInputsRuleSet  AWSManagedRulesSQLiRuleSet AWSManagedRulesLinuxRuleSet  AWSManagedRulesUnixRuleSet  AWSManagedRulesWindowsRuleSet AWSManagedRulesPHPRuleSet  AWSManagedRulesWordPressRuleSet AWSManagedRulesBotControlRuleSet\nThis is scored as Minimal because the rule sets only protect against the web protocols sub-technique."}]}, {"techniqueID": "T1071.002", "score": 2, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "GuardDuty flags events matching the following finding types that relate to adversaries attempting to communicate using application layer protocols to avoid detection.\nUnauthorizedAccess:EC2/MaliciousIPCaller.Custom Backdoor:EC2/C&CActivity.B Backdoor:EC2/C&CActivity.B!DNS Trojan:EC2/BlackholeTraffic Trojan:EC2/BlackholeTraffic!DNS Trojan:EC2/DropPoint Trojan:EC2/DropPoint!DNS Backdoor:EC2/C&CActivity.B Impact:EC2/MaliciousDomainRequest.Reputation Impact:EC2/SuspiciousDomainRequest.Reputation"}, {"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block malicious or unwanted traffic leveraging application layer protocols. As a result, this mapping is given a score of Significant."}]}, {"techniqueID": "T1071.003", "score": 2, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "GuardDuty flags events matching the following finding types that relate to adversaries attempting to communicate using application layer protocols to avoid detection.\nUnauthorizedAccess:EC2/MaliciousIPCaller.Custom Backdoor:EC2/C&CActivity.B Backdoor:EC2/C&CActivity.B!DNS Trojan:EC2/BlackholeTraffic Trojan:EC2/BlackholeTraffic!DNS Trojan:EC2/DropPoint Trojan:EC2/DropPoint!DNS Backdoor:EC2/C&CActivity.B Impact:EC2/MaliciousDomainRequest.Reputation Impact:EC2/SuspiciousDomainRequest.Reputation"}, {"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block malicious or unwanted traffic leveraging application layer protocols. As a result, this mapping is given a score of Significant."}]}, {"techniqueID": "T1071.004", "score": 2, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "GuardDuty flags events matching the following finding types that relate to adversaries attempting to communicate using application layer protocols to avoid detection.\nUnauthorizedAccess:EC2/MaliciousIPCaller.Custom Backdoor:EC2/C&CActivity.B Backdoor:EC2/C&CActivity.B!DNS Trojan:EC2/BlackholeTraffic Trojan:EC2/BlackholeTraffic!DNS Trojan:EC2/DropPoint Trojan:EC2/DropPoint!DNS Backdoor:EC2/C&CActivity.B Impact:EC2/MaliciousDomainRequest.Reputation Impact:EC2/SuspiciousDomainRequest.Reputation"}, {"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block malicious or unwanted traffic leveraging application layer protocols. As a result, this mapping is given a score of Significant."}]}, {"techniqueID": "T1078.001", "score": 1, "comment": " Related to: \n \u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Listed findings above flag instances where there are indications of account compromise."}]}, {"techniqueID": "T1090", "score": 4, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022amazon_virtual_private_cloud\n\u2022aws_web_application_firewall\n\u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The following GuardDuty finding type flags events where adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command-and-control server to avoid direct connections to their infrastructure.\nUnauthorizedAccess:EC2/TorClient UnauthorizedAccess:EC2/TorRelay\nDue to the detection being limited to a specific type of proxy, Tor, its coverage is Minimal resulting in a Minimal score."}, {"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "VPC security groups and network access control lists (NACLs) can restrict ports and inter-system / inter-enclave connections as described by the Proxy related sub-techniques although it doesn't provide protection for domain-fronting.  It furthermore provides partial protection of this technique's procedure examples resulting in an overall Partial score."}, {"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block traffic from known bad IP addresses and to known bad domains that serve as proxies for adversaries. This mapping is given a score of partial because it only supports a subset of the sub-techniques, and because it only blocks known bad IP addresses and domains and does not protect against unknown ones."}, {"divider": true}, {"name": "control", "value": "aws_web_application_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The AWS WAF protects web applications from access by adversaries that leverage tools that obscure their identity (e.g., VPN, proxies, Tor, hosting providers). AWS WAF provides this protection via the following rule set that blocks incoming traffic from IP addresses known to anonymize connection information or be less likely to source end user traffic.\nAWSManagedRulesAnonymousIpList\nThis is given a score of Partial because it provides protections for only a subset of the sub-techniques, and is based only on known IP addresses. Furthermore, it blocks the malicious content in near real-time."}]}, {"techniqueID": "T1090.001", "score": 2, "comment": " Related to: \n \u2022amazon_virtual_private_cloud\n\u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The UnauthorizedAccess:EC2/TorClient GuardDuty finding type flags events where adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command-and-control server to avoid direct connections to their infrastructure.\nDue to the detection being limited to a specific type of proxy, Tor, its coverage is Minimal resulting in a Minimal score."}, {"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "VPC security groups and network access control lists (NACLs) can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques."}]}, {"techniqueID": "T1090.002", "score": 4, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022amazon_virtual_private_cloud\n\u2022aws_web_application_firewall\n\u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The UnauthorizedAccess:EC2/TorClient GuardDuty finding type flags events where adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command-and-control server to avoid direct connections to their infrastructure.\nDue to the detection being limited to a specific type of proxy, Tor, its coverage is Minimal resulting in a Minimal score."}, {"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "VPC security groups and network access control lists (NACLs) can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques."}, {"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block traffic from known bad IP addresses and to known bad domains that serve as proxies for adversaries. This mapping is given a score of partial because it only blocks known bad IP addresses and domains and does not protect against unknown ones."}, {"divider": true}, {"name": "control", "value": "aws_web_application_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The AWS WAF protects web applications from access by adversaries that leverage tools that obscure their identity (e.g., VPN, proxies, Tor, hosting providers). AWS WAF provides this protection via the following rule set that blocks incoming traffic from IP addresses known to anonymize connection information or be less likely to source end user traffic.\nAWSManagedRulesAnonymousIpList\nThis is given a score of Partial because it provide protections based only on known IP addresses. Furthermore, it blocks the malicious content in near real-time."}]}, {"techniqueID": "T1090.003", "score": 4, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022amazon_virtual_private_cloud\n\u2022aws_web_application_firewall\n\u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The UnauthorizedAccess:EC2/TorClient GuardDuty finding type flags events where adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command-and-control server to avoid direct connections to their infrastructure.\nDue to the detection being limited to a specific type of proxy, Tor, its coverage is Minimal resulting in a Minimal score."}, {"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "VPC security groups and network access control lists (NACLs) can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques."}, {"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block traffic from known bad IP addresses and to known bad domains that serve as proxies for adversaries. This mapping is given a score of partial because it only blocks known bad IP addresses and domains and does not protect against unknown ones."}, {"divider": true}, {"name": "control", "value": "aws_web_application_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The AWS WAF protects web applications from access by adversaries that leverage tools that obscure their identity (e.g., VPN, proxies, Tor, hosting providers). AWS WAF provides this protection via the following rule set that blocks incoming traffic from IP addresses known to anonymize connection information or be less likely to source end user traffic.\nAWSManagedRulesAnonymousIpList\nThis is given a score of Partial because it provide protections based only on known IP addresses. Furthermore, it blocks the malicious content in near real-time."}]}, {"techniqueID": "T1098", "score": 4, "comment": " Related to: \n \u2022aws_security_hub\n\u2022aws_identity_and_access_management\n\u2022aws_config\n\u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "GuardDuty has a finding types that flag events where an adversary may have compromised an AWS IAM User.  Finding Type: Persistence:IAMUser/AnomalousBehavior"}, {"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control provides significant coverage for one of this technique's sub-techniques, resulting in an overall score of Minimal."}, {"divider": true}, {"name": "control", "value": "aws_identity_and_access_management"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control may generate logs for creation and manipulation of accounts but the relevant security information would be handled by another security control."}, {"divider": true}, {"name": "control", "value": "aws_security_hub"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "AWS Security Hub performs a check from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting the manipulation of accounts. AWS Security Hub provides this detection with the following check.\n3.4 Ensure a log metric filter and alarm exist for IAM policy changes \nThis is scored as Minimal because it only supports a subset of the sub-techniques."}]}, {"techniqueID": "T1098.001", "score": 4, "comment": " Related to: \n \u2022aws_security_hub\n\u2022aws_identity_and_access_management\n\u2022aws_config\n\u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The Persistence:IAMUser/AnomalousBehavior finding can detect anomalous API requests that can be used by adversaries to maintain persistence such as CreateAccessKey, ImportKeyPair."}, {"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure multi-factor authentication (MFA) is enabled properly, which can provide protection against attempted manipulation of cloud accounts: \"iam-user-mfa-enabled\", \"mfa-enabled-for-iam-console-access\", \"root-account-hardware-mfa-enabled\", and \"root-account-mfa-enabled\". All of these controls are run periodically and provide partial coverage, since adversaries may be able to manipulate cloud credentials via other mechanisms, resulting in an overall score of Partial."}, {"divider": true}, {"name": "control", "value": "aws_identity_and_access_management"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The Access Analyzer tool may detect when an external entity has been granted access to cloud resources through use of access policies. This tool will scan upon any change to access policies or periodically within 24 hours."}, {"divider": true}, {"name": "control", "value": "aws_security_hub"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS Security Hub performs a check from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting the manipulation of accounts. AWS Security Hub provides this detection with the following check.\n3.4 Ensure a log metric filter and alarm exist for IAM policy changes \nThis is scored as Significant because it can monitor all changes to IAM policy which can be used to detect any changes made to accounts. "}]}, {"techniqueID": "T1098.004", "score": 1, "comment": " Related to: \n \u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The Persistence:IAMUser/AnomalousBehavior finding can detect anomalous API requests that can be used by adversaries to maintain persistence such as CreateAccessKey, ImportKeyPair."}]}, {"techniqueID": "T1189", "score": 3, "comment": " Related to: \n \u2022amazon_inspector\n\u2022aws_web_application_firewall\n\u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "There is a GuardDuty Finding that flags this behavior: Trojan:EC2/DriveBySourceTraffic!DNS"}, {"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Amazon Inspector can detect known vulnerabilities on various Windows and Linux endpoints. Furthermore, the Amazon Inspector Best Practices assessment package can assess security controls for \"Enable Address Space Layout Randomization (ASLR)\" and \"Enable Data Execution Prevention (DEP)\" that makes it more difficult for an attacker to exploit vulnerabilities in software. This information can be used to patch, isolate, and remove vulnerable software and endpoints. Amazon Inspector does not directly protect against exploitation and it is not effective against zero-day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial."}, {"divider": true}, {"name": "control", "value": "aws_web_application_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS WAF protects against drive-by compromises by blocking malicious traffic that contains cross-site scripting patterns with the following rule set.\nAWSManagedRulesCommonRuleSet\nThis is scored as Significant because the rule set is broadly applicable to web applications and blocks the malicious traffic in near real-time."}]}, {"techniqueID": "T1190", "score": 7, "comment": " Related to: \n \u2022aws_cloudendure_disaster_recovery\n\u2022aws_rds\n\u2022aws_security_hub\n\u2022amazon_inspector\n\u2022aws_config\n\u2022amazon_guardduty\n\u2022aws_web_application_firewall", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "There is a GuardDuty finding type that captures when vulnerable publicly facing resources are leveraged to capture data not intended to be viewable (e.g., IAM credentials associated with the resource).\nUnauthorizedAccess:EC2/MetadataDNSRebind - This finding type only detects MetadataDNSRebind and is more focused on the EC2 instance and not the application running on the instance itself resulting in Minimal coverage."}, {"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Amazon Inspector can detect known vulnerabilities on various Windows and Linux endpoints. Furthermore, the Amazon Inspector Best Practices assessment package can assess security controls for \"Enable Address Space Layout Randomization (ASLR)\" and \"Enable Data Execution Prevention (DEP)\" that makes it more difficult for an attacker to exploit vulnerabilities in software. This information can be used to patch, isolate, and remove vulnerable software and endpoints. Amazon Inspector does not directly protect against exploitation and it is not effective against zero-day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial."}, {"divider": true}, {"name": "control", "value": "aws_cloudendure_disaster_recovery"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that a public-facing application or server is compromised, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant."}, {"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that applications intended for internal use cannot be accessed externally for exploitation: \"api-gw-endpoint-type-check\" can ensure that Amazon API Gateway APIs are private and can only be accessed from within VPCs, \"elasticsearch-in-vpc-only\" can ensure that Amazon ElasticSearch Service (Amazon ES) domains are in the same VPC and the domain endpoint is not public, \"lambda-function-public-access-prohibited\" can verify that AWS Lambda functions are not publicly available, and \"ec2-instance-no-public-ip\" can verify whether EC2 instances have public IP addresses.\nThe following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that insecure applications are not installed and installed packages are kept updated, reducing the likelihood of adversary exploitation: the \"ec2-managedinstance-applications-blacklisted\" managed rule verifies that a pre-defined list of applications are not installed on specified managed instances. It can be used to identify the presence of vulnerable applications (prompting removal before they can be exploited) and/or to identify the presence of allowed packages below a minimum version (prompting updates before they can be exploited). The \"ec2-managedinstance-platform-check\" managed rule verifies that managed instances are running desired platform types, including using a desired version (as opposed to an out-of-date one). Both can reduce instances' attack surface for adversary exploitation. \"rds-automatic-minor-version-upgrade-enabled\" can verify that Amazon RDS is being patched, and \"elastic-beanstalk-managed-updates-enabled\" can verify that Elastic Beanstalk is being patched.\nCoverage factor is partial for these rules, since they are specific to a subset of the available AWS services that can be used to host public-facing applications and will only protect against certain forms of identifiable exploitation, resulting in an overall score of Partial."}, {"divider": true}, {"name": "control", "value": "aws_rds"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS RDS supports the automatic patching of minor versions of database instances. This can result in security flaws in the database instances being fixed before they can be exploited. This mapping is given a score of Partial because it does not protect against misconfigured database instances which may be susceptible to exploitation.     "}, {"divider": true}, {"name": "control", "value": "aws_rds"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS RDS supports the replication and recovery of database instances. In the event that a database instance is compromised, AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant."}, {"divider": true}, {"name": "control", "value": "aws_security_hub"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Security Hub reports on EC2 instances that are missing security patches for vulnerabilities which could enable an adversary to exploit vulnerabilities through the attack lifecycle. AWS Security Hub provides this detection with the following managed insight.\nEC2 instances that have missing security patches for important vulnerabilities\nThis is scored as Partial because the checks associated with Security Hub would only report on missing patches for known vulnerabilities. It doesn't not cover zero-day vulnerabilities."}, {"divider": true}, {"name": "control", "value": "aws_web_application_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "The AWS WAF protects public-facing applications against a range of vulnerabilities including those listed in the OWASP Top 10. AWS WAF provides this protection via the following rule sets that block malicious traffic across a variety of operating systems and applications.\nAWSManagedRulesCommonRuleSet  AWSManagedRulesKnownBadInputRuleSet AWSManagedRulesSQLiRuleSet  AWSManagedRulesLinuxRuleSet  AWSManagedRulesUnixRuleSet AWSManagedRulesWindowsRuleSet  AWSManagedRulesPHPRuleSet  AWSManagedRulesWordPressRuleSet\nThis is given a score of Significant because it protects against vulnerabilities across multiple operating systems (Windows, Linux, POSIX) and technologies (JavaScript, SQL, PHP, WordPress). Furthermore, it blocks the malicious content in near real-time."}]}, {"techniqueID": "T1485", "score": 6, "comment": " Related to: \n \u2022aws_cloudendure_disaster_recovery\n\u2022aws_rds\n\u2022aws_security_hub\n\u2022aws_config\n\u2022amazon_guardduty\n\u2022aws_s3", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following GuardDuty finding type flags events where adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.\nImpact:S3/MaliciousIPCaller, Impact:IAMUser/AnomalousBehavior Stealth:S3/ServerAccessLoggingDisabled UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller PenTest:S3/PentooLinux PenTest:S3/ParrotLinux PenTest:S3/KaliLinux"}, {"divider": true}, {"name": "control", "value": "aws_cloudendure_disaster_recovery"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that data on servers is destroyed, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant."}, {"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to prevent malicious write access to data within Amazon Simple Storage Service (S3) storage, which may include data destruction: \"s3-bucket-blacklisted-actions-prohibited\" checks whether bucket policies prohibit disallowed actions (including S3:DeleteObject) for principals from other AWS accounts, \"s3-bucket-default-lock-enabled\" checks whether a bucket that should be locked in write-once-read-many (WORM) mode is configured to prevent modification, and \"s3-bucket-public-write-prohibited\" checks whether a bucket is configured to allow public access and modification. All of these controls are run on configuration changes.\nThe following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure backups and redundancy are in place which can mitigate the effects of data destruction: \"aurora-mysql-backtracking-enabled\" for data in Aurora MySQL; \"db-instance-backup-enabled\" and \"rds-in-backup-plan\" for Amazon Relational Database Service (RDS) data; \"dynamodb-in-backup-plan\" and \"dynamodb-pitr-enabled\" for Amazon DynamoDB table contents; \"ebs-in-backup-plan\" for Elastic Block Store (EBS) volumes; \"efs-in-backup-plan\" for Amazon Elastic File System (EFS) file systems; \"elasticache-redis-cluster-automatic-backup-check\" for Amazon ElastiCache Redis cluster data; \"redshift-backup-enabled\" and \"redshift-cluster-maintenancesettings-check\" for Redshift; \"s3-bucket-replication-enabled\" and \"s3-bucket-versioning-enabled\" for S3 storage; and \"cloudfront-origin-failover-enabled\" for CloudFront.\nThe following AWS Config managed rules provide specific detections for configuration problems that should be fixed in order to prevent malicious deletion of specific data: \"elb-deletion-protection-enabled\" for Elastic Block Store (EBS) volumes, and \"rds-cluster-deletion-protection-enabled\" and \"rds-instance-deletion-protection-enabled\" for RDS data.\nCoverage factor is partial for these rules, since they are specific to a subset of the available AWS services and will only protect certain types of data against destruction, resulting in an overall score of Partial."}, {"divider": true}, {"name": "control", "value": "aws_rds"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS RDS provides deletion protection which prevents any user from deleting a database instance. If applied, the setting may mitigate attempts to delete a database instance. As a result, this mapping is given a score of Significant."}, {"divider": true}, {"name": "control", "value": "aws_rds"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS RDS generates events for database instances and includes the following events that may indicate that an adversary has destroyed the database instance.\nRDS-EVENT-0003: The DB instance has been deleted RDS-EVENT-0041: A DB snapshot has been deleted\nThis mapping is given a score of Partial because it can't differentiate between an authorized and unauthorized deletion.\n"}, {"divider": true}, {"name": "control", "value": "aws_rds"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS RDS supports the replication and recovery of database instances. In the event that a database instance is deleted, AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant."}, {"divider": true}, {"name": "control", "value": "aws_s3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS S3 may protect against data destruction through application of several best practices. Multi-factor authentication can be enabled for delete operations and for changing the versioning state of a bucket. Versioning can be enabled to revert objects to a previous state after malicious destruction or corruption. S3 Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely.  In addition, S3 Cross Region Replication can be used to replicate S3 buckets to another AWS region for add protection."}, {"divider": true}, {"name": "control", "value": "aws_security_hub"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "AWS Security Hub performs a check from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting the scheduled destruction of Customer Master Keys (CMKs) which are critical for being able to decrypt data. AWS Security Hub provides this detection with the following check.\nEnsure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs\nThis is scored as Minimal because CMKs only represent one type of data that could be destroyed by an adversary. "}]}, {"techniqueID": "T1486", "score": 4, "comment": " Related to: \n \u2022aws_cloudendure_disaster_recovery\n\u2022aws_rds\n\u2022aws_config\n\u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following GuardDuty finding type flags events where adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources.\nImpact:S3/MaliciousIPCaller Stealth:S3/ServerAccessLoggingDisabled UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller PenTest:S3/PentooLinux PenTest:S3/ParrotLinux PenTest:S3/KaliLinux"}, {"divider": true}, {"name": "control", "value": "aws_cloudendure_disaster_recovery"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that data on servers is encrypted (e.g., ransomware), AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.\n"}, {"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to prevent malicious changes to data encryption within Amazon Simple Storage Service (S3) storage: \"s3-bucket-blacklisted-actions-prohibited\" checks whether bucket policies prohibit disallowed actions (including encryption configuration changes) for principals from other AWS accounts, \"s3-bucket-default-lock-enabled\" checks whether a bucket that should be locked in write-once-read-many (WORM) mode is configured to prevent modification, and \"s3-bucket-public-write-prohibited\" checks whether a bucket is configured to allow public access and modification. All of these controls are run on configuration changes.\nThe following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure backups and redundancy are in place which can mitigate the effects of malicious changes to data encryption: \"aurora-mysql-backtracking-enabled\" for data in Aurora MySQL; \"db-instance-backup-enabled\" and \"rds-in-backup-plan\" for Amazon Relational Database Service (RDS) data; \"dynamodb-in-backup-plan\" and \"dynamodb-pitr-enabled\" for Amazon DynamoDB table contents; \"ebs-in-backup-plan\" for Elastic Block Store (EBS) volumes; \"efs-in-backup-plan\" for Amazon Elastic File System (EFS) file systems; \"elasticache-redis-cluster-automatic-backup-check\" for Amazon ElastiCache Redis cluster data; \"redshift-backup-enabled\" and \"redshift-cluster-maintenancesettings-check\" for Redshift; \"s3-bucket-replication-enabled\" and \"s3-bucket-versioning-enabled\" for S3 storage; and \"cloudfront-origin-failover-enabled\" for CloudFront.\nCoverage factor is partial for these rules, since they are specific to a subset of the available AWS services and will only protect certain types of data against malicious encryption changes, resulting in an overall score of Partial."}, {"divider": true}, {"name": "control", "value": "aws_rds"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS RDS supports the replication and recovery of database instances. In the event that a database instance is encrypted by an adversary (e.g., ransomware), AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant."}]}, {"techniqueID": "T1491", "score": 3, "comment": " Related to: \n \u2022aws_cloudendure_disaster_recovery\n\u2022aws_config\n\u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "GuardDuty provides multiple finding types that flag malicious activity against resources. These findings focus on API calls that look suspicious and although they do not flag events such as Defacement specifically, it can be inferred that these findings can result in mitigating this technique's negative impact. With this assumption the score is capped at Partial. "}, {"divider": true}, {"name": "control", "value": "aws_cloudendure_disaster_recovery"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that servers are defaced, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. This mapping is given a score of Significant because it supports all of the sub-techniques (2 of 2 at the time of this mapping)."}, {"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "This control provides significant coverage for all of this technique's sub-techniques, resulting in an overall score of Significant."}]}, {"techniqueID": "T1491.001", "score": 3, "comment": " Related to: \n \u2022aws_cloudendure_disaster_recovery\n\u2022aws_config\n\u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following finding types can be used to detect behavior that can lead to the defacement of\ncloud resources:\nImpact:S3/MaliciousIPCaller\nExfiltration:S3/MaliciousIPCaller\nExfiltration:S3/ObjectRead.Unusual\nPenTest:S3/KaliLinux\nPenTest:S3/ParrotLinux\nPenTest:S3/PentooLinux\nUnauthorizedAccess:S3/MaliciousIPCaller.Custom\nUnauthorizedAccess:S3/TorIPCaller"}, {"divider": true}, {"name": "control", "value": "aws_cloudendure_disaster_recovery"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that servers are defaced, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant."}, {"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to prevent malicious write access to data within Amazon Simple Storage Service (S3) storage, which may include internal and/or external defacement: \"s3-bucket-blacklisted-actions-prohibited\" checks whether bucket policies prohibit disallowed actions (including encryption configuration changes) for principals from other AWS accounts, \"s3-bucket-default-lock-enabled\" checks whether a bucket that should be locked in write-once-read-many (WORM) mode is configured to prevent modification, and \"s3-bucket-public-write-prohibited\" checks whether a bucket is configured to allow public access and modification. All of these controls are run on configuration changes.\nThe following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure backups and redundancy are in place which can mitigate the effects of malicious defacement: \"aurora-mysql-backtracking-enabled\" for data in Aurora MySQL; \"db-instance-backup-enabled\" and \"rds-in-backup-plan\" for Amazon Relational Database Service (RDS) data; \"dynamodb-in-backup-plan\" and \"dynamodb-pitr-enabled\" for Amazon DynamoDB table contents; \"ebs-in-backup-plan\" for Elastic Block Store (EBS) volumes; \"efs-in-backup-plan\" for Amazon Elastic File System (EFS) file systems; \"elasticache-redis-cluster-automatic-backup-check\" for Amazon ElastiCache Redis cluster data; \"redshift-backup-enabled\" and \"redshift-cluster-maintenancesettings-check\" for Redshift; \"s3-bucket-replication-enabled\" and \"s3-bucket-versioning-enabled\" for S3 storage; and \"cloudfront-origin-failover-enabled\" for CloudFront.\nCoverage factor is significant for these rules, since they cover a wide range of services used to host content for websites within AWS, resulting in an overall score of Significant."}]}, {"techniqueID": "T1491.002", "score": 3, "comment": " Related to: \n \u2022aws_cloudendure_disaster_recovery\n\u2022aws_config\n\u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following finding types can be used to detect behavior that can lead to the defacement of\ncloud resources:\nImpact:S3/MaliciousIPCaller\nExfiltration:S3/MaliciousIPCaller\nExfiltration:S3/ObjectRead.Unusual\nPenTest:S3/KaliLinux\nPenTest:S3/ParrotLinux\nPenTest:S3/PentooLinux\nUnauthorizedAccess:S3/MaliciousIPCaller.Custom\nUnauthorizedAccess:S3/TorIPCaller"}, {"divider": true}, {"name": "control", "value": "aws_cloudendure_disaster_recovery"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that servers are defaced, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant."}, {"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to prevent malicious write access to data within Amazon Simple Storage Service (S3) storage, which may include internal and/or external defacement: \"s3-bucket-blacklisted-actions-prohibited\" checks whether bucket policies prohibit disallowed actions (including encryption configuration changes) for principals from other AWS accounts, \"s3-bucket-default-lock-enabled\" checks whether a bucket that should be locked in write-once-read-many (WORM) mode is configured to prevent modification, and \"s3-bucket-public-write-prohibited\" checks whether a bucket is configured to allow public access and modification. All of these controls are run on configuration changes.\nThe following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure backups and redundancy are in place which can mitigate the effects of malicious defacement: \"aurora-mysql-backtracking-enabled\" for data in Aurora MySQL; \"db-instance-backup-enabled\" and \"rds-in-backup-plan\" for Amazon Relational Database Service (RDS) data; \"dynamodb-in-backup-plan\" and \"dynamodb-pitr-enabled\" for Amazon DynamoDB table contents; \"ebs-in-backup-plan\" for Elastic Block Store (EBS) volumes; \"efs-in-backup-plan\" for Amazon Elastic File System (EFS) file systems; \"elasticache-redis-cluster-automatic-backup-check\" for Amazon ElastiCache Redis cluster data; \"redshift-backup-enabled\" and \"redshift-cluster-maintenancesettings-check\" for Redshift; \"s3-bucket-replication-enabled\" and \"s3-bucket-versioning-enabled\" for S3 storage; and \"cloudfront-origin-failover-enabled\" for CloudFront.\nCoverage factor is significant for these rules, since they cover a wide range of services used to host content for websites within AWS, resulting in an overall score of Significant."}]}, {"techniqueID": "T1496", "score": 4, "comment": " Related to: \n \u2022aws_cloudwatch\n\u2022aws_iot_device_defender\n\u2022aws_config\n\u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following GuardDuty finding types flag events where adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability.\nCryptoCurrency:EC2/BitcoinTool.B CryptoCurrency:EC2/BitcoinTool.B!DNS Impact:EC2/BitcoinDomainRequest.Reputation UnauthorizedAccess:EC2/TorRelay"}, {"divider": true}, {"name": "control", "value": "aws_cloudwatch"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS CloudWatch provides various metrics including CPU utilization, connections, disk space, memory, bytes sent/received, and the number of running containers among others. The following metrics (not an exhaustive list) could be used to detect if the usage of a resource has increased such as when an adversary hijacks a resource to perform intensive tasks.\nLinux/Mac OS ------------- cpu_time_active cpu_time_guest cpu_usage_active cpu_usage_guest disk_free disk_total disk_used ethtool_bw_in_allowance_exceeded ethtool_bw_out_allowance_exceeded ethtool_conntrack_allowance_exceeded mem_active mem_available_percent mem_free net_bytes_recv net_bytes_sent net_packets_sent net_packets_recv netstat_tcp_established netstat_tcp_listen processes_running processes_total swap_free swap_used\nContainers ---------- CpuUtilized MemoryUtilized NetworkRxBytes NetworkTxBytes node_cpu_usage_total node_cpu_utilization node_filesystem_utilization node_memory_utilization\nThis mapping is given a score of Partial because it is not possible to differentiate between an authorized and unauthorized increase in resource utilization. "}, {"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure alarms exist for spikes in resource utilization, which help to identify malicious use of resources within a cloud environment: \"cloudwatch-alarm-action-check\", \"cloudwatch-alarm-resource-check\", \"cloudwatch-alarm-settings-check\", \"desired-instance-tenancy\", \"desired-instance-type\", \"dynamodb-autoscaling-enabled\", \"dynamodb-throughput-limit-check\", \"ec2-instance-detailed-monitoring-enabled\", and \"rds-enhanced-monitoring-enabled\".\nCoverage factor is partial for these rules, since they are specific to a subset of the available AWS services and will only detect resource hijacking that results in a change in utilization that is significant enough to trigger alarms, resulting in an overall score of Partial."}, {"divider": true}, {"name": "control", "value": "aws_iot_device_defender"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following AWS IoT Device Defender device-side detection metrics can detect indicators that an adversary may be leveraging compromised AWS IoT devices' resources to perform resource-intensive operations like mining cryptocurrency or performing denial of service attacks on other environments: \"Destination IPs\" (\"aws:destination-ip-addresses\") outside of expected IP address ranges may suggest that a device is communicating with unexpected parties. \"Bytes in\" (\"aws:all-bytes-in\"), \"Bytes out\" (\"aws:all-bytes-out\"), \"Packets in\" (\"aws:all-packets-in\"), and \"Packets out\" (\"aws:all-packets-out\") values outside of expected norms may indicate that the device is sending and/or receiving non-standard traffic, which may include traffic related to resource hijacking activities. \"Listening TCP ports\" (\"aws:listening-tcp-ports\"), \"Listening TCP port count\" (\"aws:num-listening-tcp-ports\"), \"Established TCP connections count\" (\"aws:num-established-tcp-connections\"), \"Listening UDP ports\" (\"aws:listening-udp-ports\"), and \"Listening UDP port count\" (\"aws:num-listening-udp-ports\") values outside of expected norms may indicate that devices are communicating via unexpected ports/protocols which may include traffic related to resource hijacking activities.\nCoverage factor is partial, since these metrics are limited to IoT device hijacking, resulting in an overall score of Partial."}]}, {"techniqueID": "T1498", "score": 5, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022amazon_virtual_private_cloud\n\u2022aws_config\n\u2022amazon_guardduty\n\u2022aws_shield", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following finding types in GuardDuty flag events where adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users.\nBackdoor:EC2/DenialOfService.UdpOnTcpPorts Backdoor:EC2/DenialOfService.UnusualProtocol Backdoor:EC2/DenialOfService.Udp Backdoor:EC2/DenialOfService.Tcp Backdoor:EC2/DenialOfService.Dns"}, {"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "VPC security groups and network access control lists (NACLs) can be used to restrict access to endpoints but will prove effective at mitigating only low-end DOS attacks resulting in a Minimal score."}, {"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control provides minimal coverage for this technique's sub-techniques as well as its procedures, resulting in an overall score of Minimal."}, {"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block the sources of smaller-scale network denial of service attacks. While AWS Network Firewall supports all sub-techniques (2 of 2 at the time of this mapping), this mapping is given a score of Minimal because often times it is necessary to block the traffic at an Internet Service Provider or Content Provider Network level. "}, {"divider": true}, {"name": "control", "value": "aws_shield"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}]}, {"techniqueID": "T1498.001", "score": 4, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022aws_shield\n\u2022aws_config\n\u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following finding types in GuardDuty flag events where adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users.\nBackdoor:EC2/DenialOfService.UdpOnTcpPorts Backdoor:EC2/DenialOfService.UnusualProtocol Backdoor:EC2/DenialOfService.Udp Backdoor:EC2/DenialOfService.Tcp Backdoor:EC2/DenialOfService.Dns"}, {"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The \"elb-cross-zone-load-balancing-enabled\" managed rule can verify that load balancing is properly configured, which can mitigate adversaries' ability to perform Denial of Service (DoS) attacks and impact resource availability. \"cloudfront-origin-failover-enabled\" can verify that failover policies are in place to increase CloudFront content availability.\nCoverage factor is minimal for these rules, since they are specific to a subset of the available AWS services, resulting in an overall score of Minimal."}, {"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block the sources of smaller-scale network denial of service attacks. This mapping is given a score of Minimal because often times it is necessary to block the traffic at an Internet Service Provider or Content Provider Network level. "}, {"divider": true}, {"name": "control", "value": "aws_shield"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS Shield will set and use a static network flow threshold to detect incoming traffic to AWS services. This will reduce direct network DOS attacks by applying an undisclosed combination of traffic signatures, anomaly algorithms, and other analysis techniques to detect malicious traffic in real-time. AWS Shield Advance identifies anomalies in network traffic to flag attempted attacks and execute inline mitigations to resolve the issue. "}]}, {"techniqueID": "T1498.002", "score": 4, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022aws_shield\n\u2022aws_config\n\u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following finding types in GuardDuty flag events where adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users.\nBackdoor:EC2/DenialOfService.UdpOnTcpPorts Backdoor:EC2/DenialOfService.UnusualProtocol Backdoor:EC2/DenialOfService.Udp Backdoor:EC2/DenialOfService.Tcp Backdoor:EC2/DenialOfService.Dns"}, {"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The \"elb-cross-zone-load-balancing-enabled\" managed rule can verify that load balancing is properly configured, which can mitigate adversaries' ability to perform Denial of Service (DoS) attacks and impact resource availability. \"cloudfront-origin-failover-enabled\" can verify that failover policies are in place to increase CloudFront content availability.\nCoverage factor is minimal for these rules, since they are specific to a subset of the available AWS services, resulting in an overall score of Minimal."}, {"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block the sources of smaller-scale network denial of service attacks. This mapping is given a score of Minimal because often times it is necessary to block the traffic at an Internet Service Provider or Content Provider Network level. "}, {"divider": true}, {"name": "control", "value": "aws_shield"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS Shield will set and use a static network flow threshold to detect incoming traffic to AWS services. This will reduce direct network DOS attacks by applying an undisclosed combination of traffic signatures, anomaly algorithms, and other analysis techniques to detect malicious traffic in real-time. AWS Shield Advance identifies anomalies in network traffic to flag attempted attacks and execute inline mitigations to resolve the issue. "}]}, {"techniqueID": "T1526", "score": 1, "comment": " Related to: \n \u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "GuardDuty flags events where there is an attempt to discover information about resources. GuardDuty monitors for potential threats and suspicious behavior to discover information about cloud services."}]}, {"techniqueID": "T1530", "score": 7, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022aws_rds\n\u2022aws_security_hub\n\u2022aws_iot_device_defender\n\u2022aws_config\n\u2022amazon_guardduty\n\u2022aws_s3", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following GuardDuty finding types flag events where adversaries may have access data objects from improperly secured cloud storage.\nUnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller Impact:S3/MaliciousIPCaller Exfiltration:S3/MaliciousIPCaller Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller"}, {"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to prevent malicious access of data within Amazon Simple Storage Service (S3) storage: \"s3-account-level-public-access-blocks\", \"s3-bucket-level-public-access-prohibited\", \"s3-bucket-public-read-prohibited\", \"s3-bucket-policy-not-more-permissive\", \"cloudfront-origin-access-identity-enabled\", and \"cloudfront-default-root-object-configured\" identify objects that are publicly available or subject to overly permissive access policies; \"s3-bucket-blacklisted-actions-prohibited\" checks whether bucket policies prohibit disallowed actions for principals from other AWS accounts; and \"s3-bucket-policy-grantee-check\" checks whether bucket policies appropriately control which AWS principals, federated users, service principals, IP addresses, and VPCs have access. All of these controls are run on configuration changes.\nThe following AWS Config managed rules can identify configuration problems that should be fixed in order to prevent malicious access of data from other AWS services: \"dms-replication-not-public\" for AWS Database Migration Service; \"emr-master-no-public-ip\" for Amazon Elastic MapReduce (EMR); \"rds-cluster-iam-authentication-enabled\", \"rds-instance-iam-authentication-enabled\", \"rds-instance-public-access-check\" and \"rds-snapshots-public-prohibited\" for Amazon Relational Database Service; \"redshift-cluster-public-access-check\" for Amazon Redshift; and \"sagemaker-notebook-no-direct-internet-access\" for SageMaker.\nThe following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that cloud storage data are encrypted to prevent malicious access: \"dax-encryption-enabled\", \"dynamodb-table-encrypted-kms\", and \"dynamodb-table-encryption-enabled\" for Amazon DynamoDB table contents; \"efs-encrypted-check\" for Amazon Elastic File System (EFS) file systems; \"elasticsearch-encrypted-at-rest\" for Elasticsearch Service (ES) domains; \"rds-snapshot-encrypted\" and \"rds-storage-encrypted\" for Amazon Relational Database Service; \"s3-bucket-server-side-encryption-enabled\" and \"s3-default-encryption-kms\" for S3 storage; \"sns-encrypted-kms\" for Amazon Simple Notification Service (SNS); \"redshift-cluster-configuration-check\" and \"redshift-cluster-kms-enabled\" for Redshift clusters; \"sagemaker-endpoint-configuration-kms-key-configured\" and \"sagemaker-notebook-instance-kms-key-configured\" for SageMaker.\nThese rules provide a wide range of coverage for many AWS services, especially those most significant to procedures for this technique, resulting in an overall score of Significant."}, {"divider": true}, {"name": "control", "value": "aws_iot_device_defender"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following AWS IoT Device Defender cloud-side detection metrics can detect indicators that an adversary may be leveraging compromised AWS IoT devices and the Message Queuing Telemetry Transport (MQTT) protocol for unauthorized data transfer from cloud-side data sources: \"Source IP\" (\"aws:source-ip-address\") values outside of expected IP address ranges may suggest that a device has been stolen. \"Messages sent\" (\"aws:num-messages-sent\"), \"Messages received\" (\"aws:num-messages-received\"), and \"Message size\" (\"aws:message-byte-size\") values outside of expected norms may indicate that devices are sending and/or receiving non-standard traffic, which may include data retrieved from cloud storage.\nThe following AWS IoT Device Defender device-side detection metrics can detect indicators that an adversary may be leveraging compromised AWS IoT devices and the Message Queuing Telemetry Transport (MQTT) protocol for unauthorized data transfer from cloud-side data sources: \"Bytes in\" (\"aws:all-bytes-in\"), \"Bytes out\" (\"aws:all-bytes-out\"), \"Packets in\" (\"aws:all-packets-in\"), and \"Packets out\" (\"aws:all-packets-out\") values outside of expected norms may indicate that devices are sending and/or receiving non-standard traffic, which may include data retrieved from cloud storage.\nCoverage factor is partial, since these metrics are limited to IoT device-based collection, resulting in an overall score of Partial."}, {"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from accessing resources such as cloud storage objects by implementing restrictions on which IP addresses and domains can access the resources (e.g., allow lists). However, since cloud storage objects are located outside the virtual private cloud where the AWS Network Firewall protects, the mapping is only given a score of Partial."}, {"divider": true}, {"name": "control", "value": "aws_rds"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS RDS supports the encryption of the underlying storage for database instances, backups, read replicas, and snapshots using the AES-256 encryption algorithm. This can protect against an adversary from gaining access to a database instance in the event they get access to the underlying system where the database instance is hosted or to S3 where the backups are stored. Furthermore, with AWS RDS, there is a setting that specifies whether or not a database instances is publicly accessible. When public accessibility is turned off, the database instance will not be available outside the VPC in which it was created. As a result, this mapping is given a score of Significant."}, {"divider": true}, {"name": "control", "value": "aws_s3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "S3 provides full control of access via Identity and Access Management (IAM) policies and with its access control lists (ACLs). The S3 Block Public Access feature allows for policies limiting public access to Amazon S3 resources that are enforced regardless of how the resources are created or associated IAM policies. Server-side encryption can be enabled for data at rest and allows for use of S3-managed keys, AWS Key Management Service managed keys, or customer-provided keys."}, {"divider": true}, {"name": "control", "value": "aws_security_hub"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to data in cloud storage. AWS Security Hub provides this detection with the following managed insight.\nS3 buckets with public write or read permissions\nAWS Security Hub also performs checks from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting improperly secured S3 buckets which could result in them being discovered. AWS Security Hub provides this detection with the following check.\n3.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes \nThis is scored as Partial because it only detects when S3 buckets have public read or write access  and doesn't detect improperly secured data in other storage types (e.g., DBs, NFS, etc.)."}]}, {"techniqueID": "T1531", "score": 2, "comment": " Related to: \n \u2022aws_security_hub\n\u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following GuardDuty Finding type flags events where adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.\nImpact:IAMUser/AnomalousBehavior"}, {"divider": true}, {"name": "control", "value": "aws_security_hub"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Security Hub performs a check from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting the modification of accounts. AWS Security Hub provides this detection with the following check.\n3.4 Ensure a log metric filter and alarm exist for IAM policy changes \nThis is scored as Partial because it only supports the monitoring of changes to AWS IAM accounts and not the accounts on instances of operating systems.  "}]}, {"techniqueID": "T1552", "score": 6, "comment": " Related to: \n \u2022aws_iot_device_defender\n\u2022aws_config\n\u2022amazon_guardduty\n\u2022aws_key_management_service\n\u2022aws_secrets_manager\n\u2022aws_cloudhsm", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control provides minimal to partial coverage for a minority of this technique's sub-techniques, and without specific coverage for its procedures, resulting in an overall score of Minimal."}, {"divider": true}, {"name": "control", "value": "aws_cloudhsm"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control's protection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal."}, {"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following AWS Config managed rules can identify insecure plaintext credentials within specific parts of a cloud environment: \"codebuild-project-envvar-awscred-check\" for credentials (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY) stored within environment variables, \"codebuild-project-source-repo-url-check\" for personal access tokens and/or credentials within source repository URLs.\nThe following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that the contents of secrets in AWS Secrets Manager (including credentials) are properly secured to avoid adversary access: \"secretsmanager-rotation-enabled-check\", \"secretsmanager-scheduled-rotation-success-check\", \"secretsmanager-secret-periodic-rotation\", and \"secretsmanager-using-cmk\".\nThis control provides partial coverage for a minority of this technique's sub-techniques, in addition to the parent coverage above, resulting in an overall score of Partial."}, {"divider": true}, {"name": "control", "value": "aws_iot_device_defender"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control provides partial coverage for a minority of this technique's sub-techniques, resulting in an overall score of Minimal."}, {"divider": true}, {"name": "control", "value": "aws_key_management_service"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control's protection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal."}, {"divider": true}, {"name": "control", "value": "aws_secrets_manager"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control is relevant for credentials stored in applications or configuration files but not credentials entered directly by a user."}]}, {"techniqueID": "T1552.001", "score": 5, "comment": " Related to: \n \u2022aws_config\n\u2022amazon_guardduty\n\u2022aws_key_management_service\n\u2022aws_secrets_manager\n\u2022aws_cloudhsm", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following finding types in Amazon GuardDuty can be used to identify potentially malicious interactions with S3 which may lead to the compromise of any credential files stored in S3: Impact:S3/MaliciousIPCaller Exfiltration:S3/MaliciousIPCaller Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller\nThe score is capped at Partial since the findings only apply to credential files stored within S3 buckets and only certain types of suspicious behaviors."}, {"divider": true}, {"name": "control", "value": "aws_cloudhsm"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This service provides a more secure alternative to storing encryption keys in the file system. As a result of this service only supporting cryptographic keys and not other types of credentials, the coverage score is assessed as Partial resulting in an overall Partial score."}, {"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to prevent malicious access of data within Amazon Simple Storage Service (S3) storage, which may include files containing credentials: \"s3-account-level-public-access-blocks\", \"s3-bucket-level-public-access-prohibited\", \"s3-bucket-public-read-prohibited\", \"s3-bucket-policy-not-more-permissive\", \"cloudfront-origin-access-identity-enabled\", and \"cloudfront-default-root-object-configured\" identify objects that are publicly available or subject to overly permissive access policies; and \"s3-bucket-policy-grantee-check\" checks whether bucket policies appropriately control which AWS principals, federated users, service principals, IP addresses, and VPCs have access. All of these controls are run on configuration changes.\nThe following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that cloud storage data - which may include files containing credentials - are encrypted to prevent malicious access: \"s3-bucket-server-side-encryption-enabled\" and \"s3-default-encryption-kms\" for S3 storage, \"ec2-ebs-encryption-by-default\" and \"encrypted-volumes\" for EBS volumes.\nCoverage factor is partial for these rules, since they are specific to a subset of the available AWS services, resulting in an overall score of Partial."}, {"divider": true}, {"name": "control", "value": "aws_key_management_service"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This service provides a more secure alternative to storing encryption keys in the file system. As a result of this service only supporting cryptographic keys and not other types of credentials, the coverage score is assessed as Partial resulting in an overall Partial score."}, {"divider": true}, {"name": "control", "value": "aws_secrets_manager"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control may prevent harvesting of unsecured credentials by removing credentials and secrets from applications and configuration files and requiring authenticated API calls to retrieve those credentials and secrets. This control is relevant for credentials stored in applications or configuration files but not credentials entered directly by a user."}]}, {"techniqueID": "T1552.005", "score": 2, "comment": " Related to: \n \u2022aws_config\n\u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration finding type flags attempts to run AWS API operations from a host outside of EC2 using temporary AWS credentials that were created on an EC2 instance in your AWS environment. This may indicate that the temporary credentials have been compromised. Score is capped at Minimal because external use is required for detection."}, {"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The \"ec2-imdsv2-check\" managed rule can identify instances which are configured to use the outdated Instance Metadata Service Version 1 (IMDSv1), which is less secure than IMDSv2. This provides partial coverage, since adversaries may find ways to exploit the more secure IMDSv2, resulting in an overall score of Partial."}]}, {"techniqueID": "T1562", "score": 5, "comment": " Related to: \n \u2022aws_security_hub\n\u2022aws_iot_device_defender\n\u2022amazon_inspector\n\u2022aws_config\n\u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "GuardDuty flags the following finding type DefenseEvasion:IAMUser/AnomalousBehavior as a defense evasion technique. It looks for API calls that delete, disable, or stop operations, such as, DeleteFlowLogs, DisableAlarmActions, or StopLogging. The following Finding types are examples:\nStealth:IAMUser/CloudTrailLoggingDisabled Stealth:IAMUser/PasswordPolicyChange Stealth:S3/ServerAccessLoggingDisabled"}, {"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Furthermore, Amazon Inspector only supports a subset of the sub-techniques for this technique. Due to these things and the fact the security control is only supported for Linux platforms, the score is Minimal. "}, {"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control provides significant coverage for a minority of this technique's sub-techniques, resulting in an overall score of Minimal. \"Detect the use of insecure network services and protocols with known security weaknesses\""}, {"divider": true}, {"name": "control", "value": "aws_iot_device_defender"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control provides partial coverage for a minority of this technique's sub-techniques, resulting in an overall score of Minimal. \"plan the appropriate remediation to prevent unauthorized device access or data disclosure.\""}, {"divider": true}, {"name": "control", "value": "aws_iot_device_defender"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control provides partial coverage for a minority of this technique's sub-techniques, resulting in an overall score of Minimal. \"you can continuously ingest and evaluate message size data, which can point to issues such as credential abuse.\""}, {"divider": true}, {"name": "control", "value": "aws_security_hub"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Security Hub performs checks from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting changes to key AWS services. AWS Security Hub provides these detections with the following checks.\n3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes 3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes 3.10 Ensure a log metric filter and alarm exist for security group changes 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)  3.12 Ensure a log metric filter and alarm exist for changes to network gateways  3.13 Ensure a log metric filter and alarm exist for route table changes 3.14 Ensure a log metric filter and alarm exist for VPC changes\nThis is scored as Partial because it only supports a subset of the sub-techniques (3 of 8).  "}]}, {"techniqueID": "T1562.001", "score": 4, "comment": " Related to: \n \u2022aws_security_hub\n\u2022amazon_inspector\n\u2022aws_config\n\u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following GuardDuty findings provide indicators of malicious activity in defense measures:\nStealth:IAMUser/CloudTrailLoggingDisabled Stealth:IAMUser/PasswordPolicyChange Stealth:S3/ServerAccessLoggingDisabled Impact:S3/MaliciousIPCaller Exfiltration:S3/MaliciousIPCaller Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller"}, {"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. "}, {"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The \"ec2-managedinstance-applications-required\" managed rule verifies that all applications in a pre-defined list of requirements are installed on specified managed instances, and is run on configuration changes. It will not detect modification to those applications, but will detect if they are uninstalled. The \"ec2-managedinstance-applications-blacklisted\" managed rule verifies that a pre-defined list of applications are not installed on specified managed instances, and can be used to detect installation of applications below a minimum version, which can identify adversary attempts to downgrade required tools to insecure or ineffective older versions. Given the host-based scoping of this technique, coverage is partial, resulting in an overall score of Partial."}, {"divider": true}, {"name": "control", "value": "aws_security_hub"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS Security Hub performs checks from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting changes to key AWS services. AWS Security Hub provides these detections with the following checks.\n3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes 3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes 3.10 Ensure a log metric filter and alarm exist for security group changes 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)  3.12 Ensure a log metric filter and alarm exist for changes to network gateways  3.13 Ensure a log metric filter and alarm exist for route table changes 3.14 Ensure a log metric filter and alarm exist for VPC changes\nThis is scored as Significant because it can detect when changes are made to key AWS services (e.g., CloudTrail, Config, etc.) such as when they stop logging or other configuration changes are made.  \n\n\n\"Security Hub collects security data across AWS accounts, AWS services, and supported third-party products and helps you analyze your security trends and identify the highest priority security issues\""}]}, {"techniqueID": "T1562.006", "score": 2, "comment": " Related to: \n \u2022amazon_inspector\n\u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following GuardDuty findings provide indicators of malicious activity in defense measures:\nStealth:IAMUser/CloudTrailLoggingDisabled Stealth:IAMUser/PasswordPolicyChange Stealth:S3/ServerAccessLoggingDisabled Impact:S3/MaliciousIPCaller Exfiltration:S3/MaliciousIPCaller Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller"}, {"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. "}]}, {"techniqueID": "T1562.008", "score": 4, "comment": " Related to: \n \u2022aws_security_hub\n\u2022aws_iot_device_defender\n\u2022aws_config\n\u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following GuardDuty findings provide indicators of malicious activity in defense measures:\nStealth:IAMUser/CloudTrailLoggingDisabled Stealth:IAMUser/PasswordPolicyChange Stealth:S3/ServerAccessLoggingDisabled Impact:S3/MaliciousIPCaller Exfiltration:S3/MaliciousIPCaller Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller\n\n \"Amazon GuardDuty is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in GuardDuty.\""}, {"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "The following AWS Config managed rules can identify potentially malicious changes to cloud logging: \"api-gw-execution-logging-enabled\", \"cloudfront-accesslogs-enabled\", \"elasticsearch-logs-to-cloudwatch\", \"elb-logging-enabled\", \"redshift-cluster-configuration-check\", \"rds-logging-enabled\", and \"s3-bucket-logging-enabled\" are run on configuration changes. \"cloudtrail-security-trail-enabled\", \"cloud-trail-cloud-watch-logs-enabled\", \"cloudtrail-s3-dataevents-enabled\", \"vpc-flow-logs-enabled\", \"waf-classic-logging-enabled\", and \"wafv2-logging-enabled\" are run periodically.\nCoverage factor is significant for these rules, since they cover logging configuration for a wide range of services, resulting in an overall score of Significant. \n\n\"AWS Config is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in AWS Config. \""}, {"divider": true}, {"name": "control", "value": "aws_iot_device_defender"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The \"Logging disabled\" audit check (\"LOGGING_DISABLED_CHECK\" in the CLI and API) can identify potentially malicious changes to AWS IoT logs (both V1 and V2), which should be enabled in Amazon CloudWatch. Score is limited to Partial since this control only addresses IoT logging."}, {"divider": true}, {"name": "control", "value": "aws_iot_device_defender"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The \"ENABLE_IOT_LOGGING\" mitigation action (which is supported by the \"Logging disabled\" audit check) enables AWS IoT logging if it is not enabled when the check is run, effectively reversing the adversary behavior if those logs were disabled due to malicious changes. Score is limited to Partial since this control only addresses IoT logging."}, {"divider": true}, {"name": "control", "value": "aws_security_hub"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS Security Hub performs checks from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting changes to key AWS services. AWS Security Hub provides these detections with the following checks.\n3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes 3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes 3.10 Ensure a log metric filter and alarm exist for security group changes 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)  3.12 Ensure a log metric filter and alarm exist for changes to network gateways  3.13 Ensure a log metric filter and alarm exist for route table changes 3.14 Ensure a log metric filter and alarm exist for VPC changes\nThis is scored as Significant because it can detect when changes are made to key AWS services (e.g., CloudTrail, Config, etc.) such as when they stop logging or other configuration changes are made.  "}]}, {"techniqueID": "T1565", "score": 4, "comment": " Related to: \n \u2022aws_cloudendure_disaster_recovery\n\u2022amazon_virtual_private_cloud\n\u2022aws_rds\n\u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following GuardDuty finding type flags events where adversaries may insert, delete, or manipulate data in order to manipulate external outcomes or hide activity.\nImpact:S3/MaliciousIPCaller"}, {"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The VPC service's support for the AWS Virtual Private Network (VPN) can be used to encrypt traffic traversing over untrusted networks which can provide protection against one sub-technique (Transmitted Data Manipulation) of this technique while not providing protection for its remaining sub-techniques resulting in overall score of Partial."}, {"divider": true}, {"name": "control", "value": "aws_cloudendure_disaster_recovery"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that data on servers is manipulated, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. This mapping is given a score of Minimal because it only supports a subset (1 of 3) of the sub-techniques.\n"}, {"divider": true}, {"name": "control", "value": "aws_rds"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS RDS supports the encryption of database instances using the AES-256 encryption algorithm. This can protect database instances from being modified at rest. Furthermore, AWS RDS supports TLS/SSL connections which protect data from being modified during transit. This mapping is given a score of Partial because it only supports a subset of the sub-techniques (2 of 3). "}, {"divider": true}, {"name": "control", "value": "aws_rds"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS RDS supports the replication and recovery of database instances. In the event that data is manipulated, AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant."}]}, {"techniqueID": "T1565.001", "score": 3, "comment": " Related to: \n \u2022aws_cloudendure_disaster_recovery\n\u2022aws_rds\n\u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The Impact:S3/MaliciousIPCaller finding type is looking for API calls commonly associated with Impact tactic of techniques where an adversary is trying to manipulate, interrupt, or destroy data within your AWS environment."}, {"divider": true}, {"name": "control", "value": "aws_cloudendure_disaster_recovery"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that data on servers is manipulated, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant."}, {"divider": true}, {"name": "control", "value": "aws_rds"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS RDS supports the encryption of database instances using the AES-256 encryption algorithm. This can protect database instances from being modified at rest. Furthermore, AWS RDS supports TLS/SSL connections which protect data from being modified during transit. As a result, this mapping is given a score of Significant."}, {"divider": true}, {"name": "control", "value": "aws_rds"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS RDS supports the replication and recovery of database instances. In the event that data is manipulated, AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant."}]}, {"techniqueID": "T1566", "score": 1, "comment": " Related to: \n \u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "GuardDuty implements a finding type that flags/alerts when an EC2 service queries a Domain known to be tied to a phishing attack.\nTrojan:EC2/PhishingDomainRequest!DNS"}]}, {"techniqueID": "T1566.001", "score": 1, "comment": " Related to: \n \u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The domain associated with phishing can be delivered by various means these sub-techniques are added to the mapping and scoring of this Security service."}]}, {"techniqueID": "T1566.002", "score": 1, "comment": " Related to: \n \u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The domain associated with phishing can be delivered by various means these sub-techniques are added to the mapping and scoring of this Security service."}]}, {"techniqueID": "T1566.003", "score": 1, "comment": " Related to: \n \u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The domain associated with phishing can be delivered by various means these sub-techniques are added to the mapping and scoring of this Security service."}]}, {"techniqueID": "T1567", "score": 1, "comment": " Related to: \n \u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following finding types in GuardDuty flag events where adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command-and-control channel.\nExfiltration:S3/ObjectRead.Unusual Exfiltration:S3/MaliciousIPCaller Exfiltration:IAMUser/AnomalousBehavior Behavior:EC2/TrafficVolumeUnusual"}]}, {"techniqueID": "T1567.001", "score": 1, "comment": " Related to: \n \u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following finding types in GuardDuty flag events where adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command-and-control channel.\nExfiltration:S3/ObjectRead.Unusual Exfiltration:S3/MaliciousIPCaller Exfiltration:IAMUser/AnomalousBehavior Behavior:EC2/TrafficVolumeUnusual"}]}, {"techniqueID": "T1567.002", "score": 1, "comment": " Related to: \n \u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following finding types in GuardDuty flag events where adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command-and-control channel.\nExfiltration:S3/ObjectRead.Unusual Exfiltration:S3/MaliciousIPCaller Exfiltration:IAMUser/AnomalousBehavior Behavior:EC2/TrafficVolumeUnusual"}]}, {"techniqueID": "T1567.003", "score": 1, "comment": " Related to: \n \u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following finding types in GuardDuty flag events where adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command-and-control channel.\nExfiltration:S3/ObjectRead.Unusual Exfiltration:S3/MaliciousIPCaller Exfiltration:IAMUser/AnomalousBehavior Behavior:EC2/TrafficVolumeUnusual"}]}, {"techniqueID": "T1567.004", "score": 1, "comment": " Related to: \n \u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following finding types in GuardDuty flag events where adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command-and-control channel.\nExfiltration:S3/ObjectRead.Unusual Exfiltration:S3/MaliciousIPCaller Exfiltration:IAMUser/AnomalousBehavior Behavior:EC2/TrafficVolumeUnusual"}]}, {"techniqueID": "T1568", "score": 1, "comment": " Related to: \n \u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "GuardDuty has the following finding types to flag events where adversaries may dynamically establish connections to command-and-control infrastructure to evade common detections and remediations.\nTrojan:EC2/DGADomainRequest.B Trojan:EC2/DGADomainRequest.C!DNS"}]}, {"techniqueID": "T1568.002", "score": 1, "comment": " Related to: \n \u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "GuardDuty has the following finding types to flag events where adversaries may dynamically establish connections to command-and-control infrastructure to evade common detections and remediations.\nTrojan:EC2/DGADomainRequest.B Trojan:EC2/DGADomainRequest.C!DNS"}]}, {"techniqueID": "T1571", "score": 3, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022amazon_virtual_private_cloud\n\u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "GuardDuty has the following finding type to flag events where adversaries may communicate using a protocol and port paring that are typically not associated.\nBehavior:EC2/NetworkPortUnusual"}, {"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "VPC security groups and network access control lists (NACLs) can limit access to the minimum required ports and therefore, protect against adversaries attempting to use non-standard ports for C2 traffic."}, {"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict which protocols and port numbers are allowed through the firewall and prevent adversaries from using non-standard ports. As a result, this mapping is given a score of Significant. "}]}, {"techniqueID": "T1580", "score": 3, "comment": " Related to: \n \u2022aws_security_hub\n\u2022amazon_guardduty\n\u2022aws_organizations", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following GuardDuty finding types flag events that are linked to Discovery techniques and can be used to capture events where a malicious user may be searching through the account looking for available resources. The finding types are also used to flag certain signatures of running services to detect malicious user activities from commonly used pentest operating systems.\nDiscovery:IAMUser/AnomalousBehavior Discovery:S3/MaliciousIPCaller Discovery:S3/MaliciousIPCaller.Custom Discovery:S3/TorIPCaller PenTest:IAMUser/KaliLinux PenTest:IAMUser/ParrotLinux PenTest:IAMUser/PentooLinux PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux"}, {"divider": true}, {"name": "control", "value": "aws_organizations"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control may protect against cloud infrastructure discovery by segmenting accounts into separate organizational units and restricting infrastructure access by least privilege."}, {"divider": true}, {"name": "control", "value": "aws_security_hub"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access as well as accessible EC2 instances that may result in an adversary learning  about cloud infrastructure used by the organization. AWS Security Hub provides these detections  with the following managed insights.\nS3 buckets with public write or read permissions EC2 instances that have ports accessible from the Internet EC2 instances that are open to the Internet\nAWS Security Hub also performs checks from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting improperly secured S3 buckets which could result in them being discovered. AWS Security Hub provides this detection with the following check.\n3.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes \nThis is scored as Partial because S3 and EC2 only represent a subset of available cloud infrastructure components. "}]}, {"techniqueID": "T1595", "score": 5, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022amazon_virtual_private_cloud\n\u2022amazon_inspector\n\u2022amazon_guardduty\n\u2022aws_web_application_firewall", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Documentation states that the Service can flag such attempts: Reconnaissance -- Activity suggesting reconnaissance by an attacker, such as unusual API activity, intra-VPC port scanning, unusual patterns of failed login requests, or unblocked port probing from a known bad IP. Note: This is from the perspective of the resource running in the AWS account. Meaning GuardDuty has several finding types that flag events that take place via a resource (e.g., EC2, IAM, S3)."}, {"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The Amazon Inspector Network Reachability assessment package can assess whether or not cloud/network components are vulnerable (e.g., publicly accessible from the Internet). Amazon Inspector does not directly protect cloud/network components rather reports on vulnerabilities that it identifies which can then be used to securely configure the cloud/network components. Due to this, the score is capped at Partial. "}, {"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "VPC security groups and network access control lists (NACLs) can be used to restrict inbound traffic that can protect against active scanning techniques such as Scanning IP Blocks and/or Vulnerability Scanning.  Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score."}, {"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against active scanning. While this mapping supports al sub-techniques (2 of 2), this mapping is given a score of Partial because it only protects against active scanning attacks that originate from outside the firewall and not from within network protected by the firewall. "}, {"divider": true}, {"name": "control", "value": "aws_web_application_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS WAF protects against bots that run scans against web applications such as Nessus (vulnerability assessments) and Nmap (IP address and port scans) among others. AWS WAF does this by blocking malicious traffic that indicates bad bots such as those listed above (e.g., via User-Agent values). AWS WAF uses the following rule sets to provide this protection.\nAWSManagedRulesCommonRuleSet  AWSManagedRulesBotControlRuleSet\nThis is scored as Partial because the rule sets, while they block malicious traffic in near real-time, only protect web applications against scans performed by bots."}]}, {"techniqueID": "T1595.001", "score": 5, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022amazon_virtual_private_cloud\n\u2022amazon_inspector\n\u2022amazon_guardduty\n\u2022aws_web_application_firewall", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "There are a few finding types offered by GuardDuty that flag this behavior: Recon:EC2/PortProbeEMRUnprotectedPort, Recon:EC2/PortProbeUnprotectedPort, Recon:EC2/Portscan, Impact:EC2/PortSweep."}, {"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The Amazon Inspector Network Reachability assessment package can assess whether or not cloud/network components are vulnerable (e.g., publicly accessible from the Internet). Amazon Inspector does not directly protect cloud/network components rather reports on vulnerabilities that it identifies which can then be used to securely configure the cloud/network components. Due to this, the score is capped at Partial. "}, {"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "VPC security groups and network access control lists (NACLs) can be used to restrict inbound traffic that can protect against active scanning techniques such as Scanning IP Blocks and/or Vulnerability Scanning.  Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score."}, {"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against active scanning. This mapping is given a score of Partial because it only protects against active scanning attacks that originate from outside the firewall and not from within network protected by the firewall. "}, {"divider": true}, {"name": "control", "value": "aws_web_application_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS WAF protects against bots that run scans against web applications such as Nessus (vulnerability assessments) and Nmap (IP address and port scans) among others. AWS WAF does this by blocking malicious traffic that indicate bad bots such as those listed above (e.g., via User-Agent values). AWS WAF uses the following rule sets to provide this protection.\nAWSManagedRulesCommonRuleSet  AWSManagedRulesBotControlRuleSet\nThis is scored as Partial because the rule sets, while they block malicious traffic  in near real-time, only protect web applications against scans performed by bots."}]}, {"techniqueID": "T1595.002", "score": 5, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022amazon_virtual_private_cloud\n\u2022amazon_inspector\n\u2022amazon_guardduty\n\u2022aws_web_application_firewall", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "There are finding types that show when an EC2 instance is probing other AWS resources for information. Recon:EC2/PortProbeEMRUnprotectedPort, Recon:EC2/PortProbeUnprotectedPort, Recon:EC2/Portscan, Impact:EC2/PortSweep"}, {"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The Amazon Inspector Network Reachability assessment package can assess whether or not cloud/network components are vulnerable (e.g., publicly accessible from the Internet). Amazon Inspector does not directly protect cloud/network components rather reports on vulnerabilities that it identifies which can then be used to securely configure the cloud/network components. Due to this, the score is capped at Partial. "}, {"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "VPC security groups and network access control lists (NACLs) can be used to restrict inbound traffic that can protect against active scanning techniques such as Scanning IP Blocks and/or Vulnerability Scanning.  Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score."}, {"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against active scanning. This mapping is given a score of Partial because it only protects against active scanning attacks that originate from outside the firewall and not from within network protected by the firewall. "}, {"divider": true}, {"name": "control", "value": "aws_web_application_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS WAF protects against bots that run scans against web applications such as Nessus (vulnerability assessments) and Nmap (IP address and port scans) among others. AWS WAF does this by blocking malicious traffic that indicate bad bots such as those listed above (e.g., via User-Agent values). AWS WAF uses the following rule sets to provide this protection.\nAWSManagedRulesCommonRuleSet  AWSManagedRulesBotControlRuleSet\nThis is scored as Partial because the rule sets, while they block malicious traffic  in near real-time, only protect web applications against scans performed by bots."}]}, {"techniqueID": "T1619", "score": 1, "comment": " Related to: \n \u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The GuardDuty finding Discovery:IAMUser/AnomalousBehavior can be used to detect this technique."}]}, {"techniqueID": "T1622", "score": 1, "comment": " Related to: \n \u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Amazon GuardDuty finding DefenseEvasion:Runtime/PtraceAntiDebugging can aid in the detection of a specific type of Debugger Evasion."}]}, {"techniqueID": "T1649", "score": 2, "comment": " Related to: \n \u2022aws_cloudhsm\n\u2022amazon_guardduty", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_guardduty"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Amazon GuardDuty finding AttackSequence:IAM/CompromisedCredentials can aid in the detection of compromised credentials."}, {"divider": true}, {"name": "control", "value": "aws_cloudhsm"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This service provides protection against sub-techniques involved with stealing credentials, certificates, and keys from the organization."}]}, {"techniqueID": "T1003", "score": 1, "comment": " Related to: \n \u2022amazon_inspector", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Furthermore, Amazon Inspector only supports a subset of the sub-techniques for this technique. Due to these things and the fact the security control is only supported for Linux platforms, the score is Minimal. "}]}, {"techniqueID": "T1003.007", "score": 1, "comment": " Related to: \n \u2022amazon_inspector", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. "}]}, {"techniqueID": "T1003.008", "score": 1, "comment": " Related to: \n \u2022amazon_inspector", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. "}]}, {"techniqueID": "T1021", "score": 3, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022amazon_virtual_private_cloud\n\u2022amazon_inspector", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The Amazon Inspector Best Practices assessment package can detect a security control setting related to remote service access on Linux endpoints. Specifically, \"Disable root login over SSH\". This information can be used identify insecure configurations and harden the endpoints. Amazon Inspector does not directly protect against adversaries accessing remote services. Given Amazon Inspector can only assess this security control on Linux platforms (although it also supports Windows), it only restricts access to remote services for one user account, and only supports one sub-technique, the coverage score is Minimal leading to an overall Minimal score."}, {"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "VPC security groups and network access control lists (NACLs) can provide partial protection for all of its sub-techniques and procedure examples resulting in an overall score of Partial."}, {"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to only allow remote services from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because even though it can restrict remote services traffic from untrusted hosts for most of the sub-techniques (5 of 6), it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack."}]}, {"techniqueID": "T1021.004", "score": 3, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022amazon_virtual_private_cloud\n\u2022amazon_inspector", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The Amazon Inspector Best Practices assessment package can detect a security control setting related to remote service access on Linux endpoints. Specifically, \"Disable root login over SSH\". This information can be used identify insecure configurations and harden the endpoints. Amazon Inspector does not directly protect against adversaries accessing remote services. Given Amazon Inspector can only assess this security control on Linux platforms (although it also supports Windows) and it only restricts access to remote services for one user account, the coverage score is Minimal leading to an overall Minimal score."}, {"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "VPC security groups and network access control lists (NACLs) can be used to restrict direct access to remote services to trusted networks.  This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network.  This results in an overall partial (coverage) score."}, {"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to only allow remote services from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because even though it can restrict remote services traffic from untrusted hosts, it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack."}]}, {"techniqueID": "T1037", "score": 1, "comment": " Related to: \n \u2022amazon_inspector", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Furthermore, Amazon Inspector only supports a subset of the sub-techniques for this technique. Due to these things and the fact the security control is only supported for Linux platforms, the score is Minimal. "}]}, {"techniqueID": "T1037.004", "score": 1, "comment": " Related to: \n \u2022amazon_inspector", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this, the score is capped at Partial. "}]}, {"techniqueID": "T1053", "score": 2, "comment": " Related to: \n \u2022amazon_inspector\n\u2022aws_config", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Furthermore, Amazon Inspector only supports a subset of the sub-techniques for this technique. Due to these things and the fact the security control is only supported for Linux platforms, the score is Minimal. "}, {"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control provides partial coverage for one of this technique's sub-techniques, resulting in an overall score of Minimal."}]}, {"techniqueID": "T1053.001", "score": 1, "comment": " Related to: \n \u2022amazon_inspector", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. "}]}, {"techniqueID": "T1053.003", "score": 1, "comment": " Related to: \n \u2022amazon_inspector", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. "}]}, {"techniqueID": "T1053.006", "score": 1, "comment": " Related to: \n \u2022amazon_inspector", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. "}]}, {"techniqueID": "T1068", "score": 3, "comment": " Related to: \n \u2022aws_security_hub\n\u2022amazon_inspector\n\u2022aws_config", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Amazon Inspector can detect known vulnerabilities on various Windows and Linux endpoints. Furthermore, the Amazon Inspector Best Practices assessment package can assess security controls for \"Enable Address Space Layout Randomization (ASLR)\" and \"Enable Data Execution Prevention (DEP)\" that makes it more difficult for an attacker to exploit vulnerabilities in software. This information can be used to patch, isolate, and remove vulnerable software and endpoints. Amazon Inspector does not directly protect against exploitation and it is not effective against zero-day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial."}, {"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The \"ec2-managedinstance-applications-blacklisted\" managed rule verifies that a pre-defined list of applications are not installed on specified managed instances. It can be used to identify the presence of vulnerable applications (prompting removal before they can be exploited) and/or to identify the presence of allowed packages below a minimum version (prompting updates before they can be exploited). The \"ec2-managedinstance-platform-check\" managed rule verifies that managed instances are running desired platform types, including using a desired version (as opposed to an out-of-date one). Both can reduce instances' attack surface for adversary exploitation, including for privilege escalation.\nThe \"ecs-task-definition-user-for-host-mode-check\" managed rule can identify Amazon Elastic Container Service (ECS) task definitions for containers with host networking mode and 'privileged' or 'user' container definitions, which may enable adversaries to break out of containers and gain access to the underlying host, increasing their access and privileges.\nAll of these are run on configuration changes. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and will only protect against certain forms of identifiable exploitation, resulting in an overall score of Partial."}, {"divider": true}, {"name": "control", "value": "aws_security_hub"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Security Hub reports on EC2 instances that are missing security patches for vulnerabilities which could enable an adversary to exploit vulnerabilities through the attack lifecycle. AWS Security Hub provides this detection with the following managed insight.\nEC2 instances that have missing security patches for important vulnerabilities\nThis is scored as Partial because the checks associated with Security Hub would only report on missing patches for known vulnerabilities. It doesn't not cover zero-day vulnerabilities."}]}, {"techniqueID": "T1070", "score": 1, "comment": " Related to: \n \u2022amazon_inspector", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Furthermore, Amazon Inspector only supports a subset of the sub-techniques for this technique. Due to these things and the fact the security control is only supported for Linux platforms, the score is Minimal. "}]}, {"techniqueID": "T1070.002", "score": 1, "comment": " Related to: \n \u2022amazon_inspector", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. "}]}, {"techniqueID": "T1070.003", "score": 1, "comment": " Related to: \n \u2022amazon_inspector", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. "}]}, {"techniqueID": "T1070.004", "score": 1, "comment": " Related to: \n \u2022amazon_inspector", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. "}]}, {"techniqueID": "T1070.005", "score": 1, "comment": " Related to: \n \u2022amazon_inspector", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. "}]}, {"techniqueID": "T1070.006", "score": 1, "comment": " Related to: \n \u2022amazon_inspector", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. "}]}, {"techniqueID": "T1070.007", "score": 1, "comment": " Related to: \n \u2022amazon_inspector", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. "}]}, {"techniqueID": "T1070.008", "score": 1, "comment": " Related to: \n \u2022amazon_inspector", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. "}]}, {"techniqueID": "T1070.009", "score": 1, "comment": " Related to: \n \u2022amazon_inspector", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. "}]}, {"techniqueID": "T1133", "score": 4, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022amazon_virtual_private_cloud\n\u2022amazon_inspector\n\u2022aws_single_sign-on", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The Amazon Inspector Best Practices assessment package can detect a security control setting related to remote service access on Linux endpoints. Specifically, \"Disable root login over SSH\". This information can be used identify insecure configurations and harden the endpoints. Amazon Inspector does not directly protect against adversaries accessing remote services. Given Amazon Inspector can only assess this security control on Linux platforms (although it also supports Windows) and it only restricts access to remote services for one user account, the coverage score is Minimal leading to an overall Minimal score."}, {"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "VPC security groups and network access control lists (NACLs) can limit access to external remote services  to the minimum necessary."}, {"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to only allow certain remote services to be available. Futhermore, it can enforce restrictions such that remote services are only from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because while it can limit which external remote services and hosts can be used to access the network, it cannot protect against the misuse of legitimate external remote services (e.g., it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack)."}, {"divider": true}, {"name": "control", "value": "aws_single_sign-on"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "This control may protect against abuse of external remote services by requiring multi-factor authentication for single sign-on accounts. "}]}, {"techniqueID": "T1203", "score": 4, "comment": " Related to: \n \u2022aws_security_hub\n\u2022amazon_inspector\n\u2022aws_config\n\u2022aws_web_application_firewall", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Amazon Inspector can detect known vulnerabilities on various Windows and Linux endpoints. Furthermore, the Amazon Inspector Best Practices assessment package can assess security controls for \"Enable Address Space Layout Randomization (ASLR)\" and \"Enable Data Execution Prevention (DEP)\" that makes it more difficult for an attacker to exploit vulnerabilities in software. This information can be used to patch, isolate, and remove vulnerable software and endpoints. Amazon Inspector does not directly protect against exploitation and it is not effective against zero-day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial."}, {"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The \"ec2-managedinstance-applications-blacklisted\" managed rule verifies that a pre-defined list of applications are not installed on specified managed instances. It can be used to identify the presence of vulnerable applications (prompting removal before they can be exploited) and/or to identify the presence of allowed packages below a minimum version (prompting updates before they can be exploited). The \"ec2-managedinstance-platform-check\" managed rule verifies that managed instances are running desired platform types, including using a desired version (as opposed to an out-of-date one). Both can reduce instances' attack surface for adversary exploitation, including for client execution.\nAll of these are run on configuration changes. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and will only protect against certain forms of identifiable exploitation, resulting in an overall score of Partial."}, {"divider": true}, {"name": "control", "value": "aws_security_hub"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Security Hub reports on EC2 instances that are missing security patches for vulnerabilities which could enable an adversary to exploit vulnerabilities through the attack lifecycle. AWS Security Hub provides this detection with the following managed insight.\nEC2 instances that have missing security patches for important vulnerabilities\nThis is scored as Partial because the checks associated with Security Hub would only report on missing patches for known vulnerabilities. It doesn't not cover zero-day vulnerabilities."}, {"divider": true}, {"name": "control", "value": "aws_web_application_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS WAF protects against exploitation for client execution (browser-based exploitation) by blocking malicious traffic that contains cross-site scripting patterns with the following rule set.\nAWSManagedRulesCommonRuleSet\nThis is scored as Significant because the rule set is broadly applicable to web applications and blocks the malicious traffic in near real-time."}]}, {"techniqueID": "T1210", "score": 5, "comment": " Related to: \n \u2022amazon_virtual_private_cloud\n\u2022aws_security_hub\n\u2022aws_rds\n\u2022amazon_inspector\n\u2022aws_config", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Amazon Inspector can detect known vulnerabilities on various Windows and Linux endpoints. This information can be used to patch, isolate, and remove vulnerable software and endpoints. Furthermore, the Amazon Inspector Best Practices assessment package can assess a security control \"Support SSH version 2 only\" that prevents the use of a vulnerable version of SSH from being used as well as assess security controls for \"Enable Address Space Layout Randomization (ASLR)\" and \"Enable Data Execution Prevention (DEP)\" that makes it more difficult for an attacker to exploit vulnerabilities in software. Amazon Inspector does not directly protect against exploitation and it is not effective against zero-day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial."}, {"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "VPC security groups and network access control lists (NACLs) can be used to restrict access to remote services to the minimum necessary."}, {"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The \"ec2-managedinstance-applications-blacklisted\" managed rule verifies that a pre-defined list of applications are not installed on specified managed instances. It can be used to identify the presence of vulnerable applications (prompting removal before they can be exploited) and/or to identify the presence of allowed packages below a minimum version (prompting updates before they can be exploited), both of which can reduce instances' attack surface for adversary exploitation, including via those applications' exposed remote services. The \"ec2-instance-no-public-ip\" managed rule identifies EC2 instances with public IP associations, which should be removed unless necessary to avoid exposing services publicly for adversary access.\nAll of these are run on configuration changes. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and will only protect against certain forms of identifiable exploitation, resulting in an overall score of Partial."}, {"divider": true}, {"name": "control", "value": "aws_rds"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS RDS supports the automatic patching of minor versions of database instances. This can result in security flaws in the database instances being fixed before they can be exploited. This mapping is given a score of Partial because it does not protect against misconfigured database instances which may be susceptible to exploitation.     "}, {"divider": true}, {"name": "control", "value": "aws_rds"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS RDS supports the replication and recovery of database instances. In the event that a database instance is compromised, AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant."}, {"divider": true}, {"name": "control", "value": "aws_security_hub"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Security Hub reports on EC2 instances that are missing security patches for vulnerabilities which could enable an adversary to exploit vulnerabilities through the attack lifecycle. AWS Security Hub provides this detection with the following managed insight.\nEC2 instances that have missing security patches for important vulnerabilities\nThis is scored as Partial because the checks associated with Security Hub would only report on missing patches for known vulnerabilities. It doesn't not cover zero-day vulnerabilities."}]}, {"techniqueID": "T1211", "score": 3, "comment": " Related to: \n \u2022aws_security_hub\n\u2022amazon_inspector\n\u2022aws_config", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Amazon Inspector can detect known vulnerabilities on various Windows and Linux endpoints. Furthermore, the Amazon Inspector Best Practices assessment package can assess security controls for \"Enable Address Space Layout Randomization (ASLR)\" and \"Enable Data Execution Prevention (DEP)\" that makes it more difficult for an attacker to exploit vulnerabilities in software. This information can be used to patch, isolate, and remove vulnerable software and endpoints. Amazon Inspector does not directly protect against exploitation and it is not effective against zero-day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial."}, {"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The \"ec2-managedinstance-applications-blacklisted\" managed rule verifies that a pre-defined list of applications are not installed on specified managed instances. It can be used to identify the presence of vulnerable applications (prompting removal before they can be exploited) and/or to identify the presence of allowed packages below a minimum version (prompting updates before they can be exploited). The \"ec2-managedinstance-platform-check\" managed rule verifies that managed instances are running desired platform types, including using a desired version (as opposed to an out-of-date one). Both can reduce instances' attack surface for adversary exploitation, including for defense evasion.\nAll of these are run on configuration changes. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and will only protect against certain forms of identifiable exploitation, resulting in an overall score of Partial."}, {"divider": true}, {"name": "control", "value": "aws_security_hub"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Security Hub reports on EC2 instances that are missing security patches for vulnerabilities which could enable an adversary to exploit vulnerabilities through the attack lifecycle. AWS Security Hub provides this detection with the following managed insight.\nEC2 instances that have missing security patches for important vulnerabilities\nThis is scored as Partial because the checks associated with Security Hub would only report on missing patches for known vulnerabilities. It doesn't not cover zero-day vulnerabilities."}]}, {"techniqueID": "T1212", "score": 4, "comment": " Related to: \n \u2022aws_security_hub\n\u2022aws_secrets_manager\n\u2022amazon_inspector\n\u2022aws_config", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Amazon Inspector can detect known vulnerabilities on various Windows and Linux endpoints. Furthermore, the Amazon Inspector Best Practices assessment package can assess security controls for \"Enable Address Space Layout Randomization (ASLR)\" and \"Enable Data Execution Prevention (DEP)\" that makes it more difficult for an attacker to exploit vulnerabilities in software. This information can be used to patch, isolate, and remove vulnerable software and endpoints. Amazon Inspector does not directly protect against exploitation and it is not effective against zero-day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial."}, {"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The \"ec2-managedinstance-applications-blacklisted\" managed rule verifies that a pre-defined list of applications are not installed on specified managed instances. It can be used to identify the presence of vulnerable applications (prompting removal before they can be exploited) and/or to identify the presence of allowed packages below a minimum version (prompting updates before they can be exploited). The \"ec2-managedinstance-platform-check\" managed rule verifies that managed instances are running desired platform types, including using a desired version (as opposed to an out-of-date one).Both can reduce instances' attack surface for adversary exploitation, including for credential access.\nAll of these are run on configuration changes. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and will only protect against certain forms of identifiable exploitation, resulting in an overall score of Partial."}, {"divider": true}, {"name": "control", "value": "aws_secrets_manager"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control may protect against exploitation for credential access by removing credentials and secrets from applications that can be exploited and requiring authenticated API calls to retrieve those credentials and secrets."}, {"divider": true}, {"name": "control", "value": "aws_security_hub"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Security Hub reports on EC2 instances that are missing security patches for vulnerabilities which could enable an adversary to exploit vulnerabilities through the attack lifecycle. AWS Security Hub provides this detection with the following managed insight.\nEC2 instances that have missing security patches for important vulnerabilities\nThis is scored as Partial because the checks associated with Security Hub would only report on missing patches for known vulnerabilities. It doesn't not cover zero-day vulnerabilities."}]}, {"techniqueID": "T1222", "score": 1, "comment": " Related to: \n \u2022amazon_inspector", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. "}]}, {"techniqueID": "T1222.002", "score": 1, "comment": " Related to: \n \u2022amazon_inspector", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this the score is capped at Partial. "}]}, {"techniqueID": "T1489", "score": 2, "comment": " Related to: \n \u2022aws_rds\n\u2022amazon_inspector", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. "}, {"divider": true}, {"name": "control", "value": "aws_rds"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS RDS generates events for database instances and includes the following event that may indicate that an adversary has attempted to stop a database instance.\nRDS-EVENT-0087: The DB instance has been stopped\nThis mapping is given a score of Partial because it can't differentiate between an authorized and unauthorized stopping of the database instance.\n"}]}, {"techniqueID": "T1529", "score": 2, "comment": " Related to: \n \u2022aws_rds\n\u2022amazon_inspector", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. "}, {"divider": true}, {"name": "control", "value": "aws_rds"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS RDS generates events for database instances and includes the following events that may indicate that an adversary has shutdown or rebooted the database instance. \nRDS-EVENT-0006: The DB instance restarted, RDS-EVENT-0004: The DB instance shutdown, RDS-EVENT-0022: An error has occurred while restarting MySQL or MariaDB\nThis mapping is given a score of Partial because it can't differentiate between an authorized and unauthorized shutdown/reboot."}]}, {"techniqueID": "T1543", "score": 1, "comment": " Related to: \n \u2022amazon_inspector", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Furthermore, Amazon Inspector only supports a subset of the sub-techniques for this technique. Due to these things and the fact the security control is only supported for Linux platforms, the score is Minimal. "}]}, {"techniqueID": "T1543.002", "score": 1, "comment": " Related to: \n \u2022amazon_inspector", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this, the score is capped at Partial. "}]}, {"techniqueID": "T1548", "score": 1, "comment": " Related to: \n \u2022amazon_inspector", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Furthermore, Amazon Inspector only supports a subset of the sub-techniques for this technique. Due to these things and the fact the security control is only supported for Linux platforms, the score is Minimal. "}]}, {"techniqueID": "T1548.003", "score": 1, "comment": " Related to: \n \u2022amazon_inspector", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. "}]}, {"techniqueID": "T1562.003", "score": 1, "comment": " Related to: \n \u2022amazon_inspector", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. "}]}, {"techniqueID": "T1562.004", "score": 1, "comment": " Related to: \n \u2022amazon_inspector", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. "}]}, {"techniqueID": "T1599", "score": 1, "comment": " Related to: \n \u2022amazon_inspector", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Furthermore, Amazon Inspector only supports a subset of the sub-techniques for this technique. Due to these things and the fact the security control is only supported for Linux platforms, the score is Minimal. "}]}, {"techniqueID": "T1599.001", "score": 1, "comment": " Related to: \n \u2022amazon_inspector", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_inspector"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Furthermore, Amazon Inspector only supports a subset of the sub-techniques for this technique. Due to these things and the fact the security control is only supported for Linux platforms, the score is Minimal. "}]}, {"techniqueID": "T1008", "score": 2, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022amazon_virtual_private_cloud", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "VPC security groups and network access control lists (NACLs) can be used to restrict external network access to the minimum required and can therefore mitigate an adversary utilizing a fallback or alternative communication channels.  In environments where unrestricted Internet access is required, security groups and NACLs can still be used to block known malicious endpoints.  Because in such environments the protection is limited to known  malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score."}, {"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block communication with known fallback channels by filtering based on known bad IP addresses and domains. This mapping is given a score of Partial because it only protects against known fallback channels and not channels yet to be identified. "}]}, {"techniqueID": "T1018", "score": 2, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022amazon_virtual_private_cloud", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "VPC security groups and network access control lists (NACLs) can filter network traffic and therefore can be effective for mitigating network based remote system discovery.  Other remote system discovery methods such as discovering hosts from local host files are not mitigated resulting in Partial coverage score and an overall score of Partial."}, {"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from discovering endpoints behind the firewall. This mapping is given a score of Partial because it does not protect against discovering endpoints within the network and behind the firewall. "}]}, {"techniqueID": "T1021.001", "score": 2, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022amazon_virtual_private_cloud", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "VPC security groups and network access control lists (NACLs) can be used to restrict direct access to remote services to trusted networks.  This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network.  This results in an overall partial (coverage) score."}, {"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to only allow remote services from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because even though it can restrict remote services traffic from untrusted hosts, it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack."}]}, {"techniqueID": "T1021.002", "score": 2, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022amazon_virtual_private_cloud", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "VPC security groups and network access control lists (NACLs) can be used to restrict direct access to remote services to trusted networks.  This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network.  This results in an overall partial (coverage) score."}, {"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to only allow remote services from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because even though it can restrict remote services traffic from untrusted hosts, it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack."}]}, {"techniqueID": "T1021.003", "score": 1, "comment": " Related to: \n \u2022amazon_virtual_private_cloud", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "VPC security groups and network access control lists (NACLs) can be used to restrict direct access to remote services to trusted networks.  This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network.  This results in an overall partial (coverage) score."}]}, {"techniqueID": "T1021.005", "score": 2, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022amazon_virtual_private_cloud", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "VPC security groups and network access control lists (NACLs) can be used to restrict direct access to remote services to trusted networks.  This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network.  This results in an overall partial (coverage) score."}, {"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to only allow remote services from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because even though it can restrict remote services traffic from untrusted hosts, it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack."}]}, {"techniqueID": "T1021.006", "score": 2, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022amazon_virtual_private_cloud", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "VPC security groups and network access control lists (NACLs) can be used to restrict direct access to remote services to trusted networks.  This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network.  This results in an overall partial (coverage) score."}, {"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to only allow remote services from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because even though it can restrict remote services traffic from untrusted hosts, it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack."}]}, {"techniqueID": "T1021.007", "score": 2, "comment": " Related to: \n \u2022amazon_virtual_private_cloud\n\u2022aws_identity_and_access_management", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "VPC security groups and network access control lists (NACLs) can be used to restrict direct access to remote services to trusted networks.  This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network.  This results in an overall partial (coverage) score."}, {"divider": true}, {"name": "control", "value": "aws_identity_and_access_management"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Identity and Access Management supports multi-factor authentication, which can mitigate an adversary's ability to use valid credentials obtained on one cloud to access another cloud service."}]}, {"techniqueID": "T1040", "score": 5, "comment": " Related to: \n \u2022amazon_virtual_private_cloud\n\u2022aws_rds\n\u2022aws_iot_device_defender\n\u2022aws_config\n\u2022aws_cloudwatch", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "The VPC service's support for the AWS Virtual Private Network (VPN) can be used to encrypt traffic traversing over untrusted networks which can prevent information from being gathered via network sniffing."}, {"divider": true}, {"name": "control", "value": "aws_cloudwatch"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS CloudWatch uses TLS/SSL connections to communicate with other AWS resources which protects against network sniffing attacks. As a result, this mapping is given a score of Significant."}, {"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure SSL/TLS encryption is enabled to protect network traffic: \"acm-certificate-expiration-check\" for nearly expired certificates in AWS Certificate Manager (ACM); \"alb-http-to-https-redirection-check\" for Application Load Balancer (ALB) HTTP listeners; \"api-gw-ssl-enabled\" for API Gateway REST API stages; \"cloudfront-custom-ssl-certificate\", \"cloudfront-sni-enabled\", and \"cloudfront-viewer-policy-https\", for Amazon CloudFront distributions; \"elb-acm-certificate-required\", \"elb-custom-security-policy-ssl-check\", \"elb-predefined-security-policy-ssl-check\", and \"elb-tls-https-listeners-only\" for Elastic Load Balancing (ELB) Classic Load Balancer listeners; \"redshift-require-tls-ssl\" for Amazon Redshift cluster connections to SQL clients; \"s3-bucket-ssl-requests-only\" for requests for S3 bucket contents; and \"elasticsearch-node-to-node-encryption-check\" for Amazon ElasticSearch Service node-to-node communications.\nThe following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that private traffic is routed securely and only within VPCs rather than on the public Internet: \"api-gw-endpoint-type-check\" for Amazon API Gateway APIs, \"elasticsearch-in-vpc-only\" for Amazon ElasticSearch Service domains, and \"redshift-enhanced-vpc-routing-enabled\" for Amazon Redshift cluster traffic.\nAll of these are run on configuration changes except \"alb-http-to-https-redirection-check\" and \"elasticsearch-in-vpc-only\", which are run periodically. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and can only mitigate behavior for adversaries who are unable to decrypt the relevant traffic and/or do not have access to traffic within the relevant VPCs, resulting in an overall score of Partial."}, {"divider": true}, {"name": "control", "value": "aws_iot_device_defender"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following AWS IoT Device Defender audit checks and corresponding mitigation actions can identify and resolve configuration problems that should be fixed in order to ensure SSL/TLS encryption is enabled and secure to protect network traffic to/from IoT devices: \"CA certificate expiring\" (\"CA_CERTIFICATE_EXPIRING_CHECK\" in the CLI and API), \"CA certificate key quality\" (\"CA_CERTIFICATE_KEY_QUALITY_CHECK\" in the CLI and API), and \"CA certificate revoked but device certificates still active\" (\"REVOKED_CA_CERTIFICATE_STILL_ACTIVE_CHECK\" in the CLI and API) can identify problems with certificate authority (CA) certificates being used for signing and support the \"UPDATE_CA_CERTIFICATE\" mitigation action which can resolve them. \"Device certificate expiring\" (\"DEVICE_CERTIFICATE_EXPIRING_CHECK\" in the CLI and API), \"Device certificate key quality\" (\"DEVICE_CERTIFICATE_KEY_QUALITY_CHECK\" in the CLI and API), \"Device certificate shared\" (\"DEVICE_CERTIFICATE_SHARED_CHECK\" in the CLI and API), and \"Revoked device certificate still active\" (\"REVOKED_DEVICE_CERTIFICATE_STILL_ACTIVE_CHECK\" in the CLI and API) can identify problems with IoT devices' certificates and support the \"UPDATE_DEVICE_CERTIFICATE\" and \"ADD_THINGS_TO_THING_GROUP\" mitigation actions which can resolve them.\nCoverage factor is partial for these checks and mitigations, since they are specific to IoT device communication and can only mitigate behavior for adversaries who are unable to decrypt the relevant traffic, resulting in an overall score of Partial."}, {"divider": true}, {"name": "control", "value": "aws_rds"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS RDS and AWS RDS Proxy support TLS/SSL connections to database instances which protects against network sniffing attacks. As a result, this mapping is given a score of Significant."}]}, {"techniqueID": "T1048.001", "score": 3, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022amazon_virtual_private_cloud\n\u2022aws_iot_device_defender", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "VPC security groups and network access control lists (NACLs) can limit access to the minimum required ports and therefore protect against adversaries attempting to exfiltrate data using a different protocol than that of the existing command and control channel.  In environments where unrestricted Internet access is required, security groups and NACLs can still be used to block known malicious endpoints.  Because in such environments the protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score."}, {"divider": true}, {"name": "control", "value": "aws_iot_device_defender"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following AWS IoT Device Defender device-side detection metrics can detect indicators that an adversary may be exfiltrating collected data from compromised AWS IoT devices over a given channel to/from those devices: \"Destination IPs\" (\"aws:destination-ip-addresses\") outside of expected IP address ranges may suggest that a device is communicating with unexpected parties. \"Bytes in\" (\"aws:all-bytes-in\"), \"Bytes out\" (\"aws:all-bytes-out\"), \"Packets in\" (\"aws:all-packets-in\"), and \"Packets out\" (\"aws:all-packets-out\") values outside of expected norms may indicate that the device is sending and/or receiving non-standard traffic, which may include exfiltration of stolen data. \"Listening TCP ports\" (\"aws:listening-tcp-ports\"), \"Listening TCP port count\" (\"aws:num-listening-tcp-ports\"), \"Established TCP connections count\" (\"aws:num-established-tcp-connections\"), \"Listening UDP ports\" (\"aws:listening-udp-ports\"), and \"Listening UDP port count\" (\"aws:num-listening-udp-ports\") values outside of expected norms may indicate that devices are communicating via unexpected ports/protocols, which may include exfiltration of data over those ports/protocols.\nCoverage factor is partial, since these metrics are limited to exfiltration from IoT devices, resulting in an overall score of Partial."}, {"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from accessing resources from which to exfiltrate data as well as prevent resources from communicating with known-bad IP addresses and domains that might be used to receive exfiltrated data. This mapping is given a score of Partial because the known-bad IP addresses and domains would need to be known in advance and AWS Network Firewall wouldn't have deep packet inspection visibility into encrypted non-C2 protocols. "}]}, {"techniqueID": "T1048.002", "score": 3, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022amazon_virtual_private_cloud\n\u2022aws_iot_device_defender", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "VPC security groups and network access control lists (NACLs) can limit access to the minimum required ports and therefore protect against adversaries attempting to exfiltrate data using a different protocol than that of the existing command and control channel.  In environments where unrestricted Internet access is required, security groups and NACLs can still be used to block known malicious endpoints.  Because in such environments the protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score."}, {"divider": true}, {"name": "control", "value": "aws_iot_device_defender"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following AWS IoT Device Defender device-side detection metrics can detect indicators that an adversary may be exfiltrating collected data from compromised AWS IoT devices over a given channel to/from those devices: \"Destination IPs\" (\"aws:destination-ip-addresses\") outside of expected IP address ranges may suggest that a device is communicating with unexpected parties. \"Bytes in\" (\"aws:all-bytes-in\"), \"Bytes out\" (\"aws:all-bytes-out\"), \"Packets in\" (\"aws:all-packets-in\"), and \"Packets out\" (\"aws:all-packets-out\") values outside of expected norms may indicate that the device is sending and/or receiving non-standard traffic, which may include exfiltration of stolen data. \"Listening TCP ports\" (\"aws:listening-tcp-ports\"), \"Listening TCP port count\" (\"aws:num-listening-tcp-ports\"), \"Established TCP connections count\" (\"aws:num-established-tcp-connections\"), \"Listening UDP ports\" (\"aws:listening-udp-ports\"), and \"Listening UDP port count\" (\"aws:num-listening-udp-ports\") values outside of expected norms may indicate that devices are communicating via unexpected ports/protocols, which may include exfiltration of data over those ports/protocols.\nCoverage factor is partial, since these metrics are limited to exfiltration from IoT devices, resulting in an overall score of Partial."}, {"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from accessing resources from which to exfiltrate data as well as prevent resources from communicating with known-bad IP addresses and domains that might be used to receive exfiltrated data. This mapping is given a score of Partial because the known-bad IP addresses and domains would need to be known in advance and AWS Network Firewall wouldn't have deep packet inspection visibility into encrypted non-C2 protocols. "}]}, {"techniqueID": "T1072", "score": 1, "comment": " Related to: \n \u2022amazon_virtual_private_cloud", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "VPC security groups and network access control lists (NACLs) can be used to limit access to critical network systems such as software deployment tools."}]}, {"techniqueID": "T1095", "score": 3, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022amazon_virtual_private_cloud\n\u2022aws_iot_device_defender", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "VPC security groups and network access control lists (NACLs) can be used to restrict external network access to the minimum required and can therefore mitigate adversary attempts to utilize non-application layer protocols for communication.  In environments where unrestricted Internet access is required, security groups and NACLs can still be used to block known malicious endpoints.  Because in such environments the protection is limited to known  malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score."}, {"divider": true}, {"name": "control", "value": "aws_iot_device_defender"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The following AWS IoT Device Defender cloud-side detection metrics can detect indicators that an adversary may be leveraging compromised AWS IoT devices and non-application layer protocols - especially TCP and UDP - to communicate for command and control purposes: \"Source IP\" (\"aws:source-ip-address\") values outside of expected IP address ranges may suggest that a device has been stolen. \"Messages sent\" (\"aws:num-messages-sent\"), \"Messages received\" (\"aws:num-messages-received\"), and \"Message size\" (\"aws:message-byte-size\") values outside of expected norms may indicate that devices are sending and/or receiving non-standard traffic, which may include command and control traffic.\nThe following AWS IoT Device Defender device-side detection metrics can detect indicators that an adversary may be leveraging compromised AWS IoT devices and non-application layer protocols - especially TCP and UDP - to communicate for command and control purposes: \"Destination IPs\" (\"aws:destination-ip-addresses\") outside of expected IP address ranges may suggest that a device is communicating with unexpected parties. \"Bytes in\" (\"aws:all-bytes-in\"), \"Bytes out\" (\"aws:all-bytes-out\"), \"Packets in\" (\"aws:all-packets-in\"), and \"Packets out\" (\"aws:all-packets-out\") values outside of expected norms may indicate that the device is sending and/or receiving non-standard traffic, which may include command and control traffic. \"Listening TCP ports\" (\"aws:listening-tcp-ports\"), \"Listening TCP port count\" (\"aws:num-listening-tcp-ports\"), \"Established TCP connections count\" (\"aws:num-established-tcp-connections\"), \"Listening UDP ports\" (\"aws:listening-udp-ports\"), and \"Listening UDP port count\" (\"aws:num-listening-udp-ports\") values outside of expected norms may indicate that devices are communicating via TCP and/or UDP on unexpected ports that may suggest command and control traffic.\nCoverage factor is minimal, since these metrics are limited to IoT device communication and none of this technique's sub-techniques are addressed, resulting in an overall score of Minimal."}, {"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block malicious or unwanted traffic leveraging non-application layer protocols. Given this, the mapping is given a score of Significant."}]}, {"techniqueID": "T1199", "score": 1, "comment": " Related to: \n \u2022amazon_virtual_private_cloud", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "VPC network access control lists (NACLs) can isolate portions of the network that do not require network-wide access, limiting some attackers that leverage trusted relationships such as remote access for vendor maintenance. Coverage partial, Temporal Immediate."}]}, {"techniqueID": "T1205", "score": 2, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022amazon_virtual_private_cloud", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "VPC security groups and network access control lists (NACLs) can provide significant protection for some variations of this technique, for example Port Knocking.  Other variations of this technique such as using traffic signaling to execute a malicious task is not easily mitigated by security groups or NACLs.  Consequently, its coverage score is Partial resulting in an overall Partial score."}, {"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block traffic to unused ports from reaching hosts on the network which may help protect against traffic signaling from external systems. This mapping is given a score of partial because the AWS Network Firewall does not do anything to protect against traffic signaling among hosts within the network and behind the firewall."}]}, {"techniqueID": "T1205.001", "score": 2, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022amazon_virtual_private_cloud", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "VPC security groups and network access control lists (NACLs) can protect against this sub-technique by enforcing limited access to only required ports.  Consequently, even if the adversary is able to utilize port knocking to open additional ports at the host level, it is still blocked at the security group or NACL level. "}, {"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block traffic to unused ports from reaching hosts on the network which may help protect against port knocking from external systems. This mapping is given a score of partial because the AWS Network Firewall does not do anything to protect against port knocking among hosts within the network and behind the firewall."}]}, {"techniqueID": "T1219", "score": 2, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022amazon_virtual_private_cloud", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "VPC security groups and network access control lists (NACLs) can be used to limit outgoing traffic to only sites and services used by authorized remote access tools.  This is scored as partial because it doesn't protect against an adversary using an authorized remote access tool for malicious activity."}, {"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to only allow remote access software from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because even though it can restrict remote access software traffic from untrusted hosts, it cannot protect against an adversary using a trusted host that is permitted to use remote access software as part of an attack."}]}, {"techniqueID": "T1482", "score": 1, "comment": " Related to: \n \u2022amazon_virtual_private_cloud", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "VPC security groups and network access control lists (NACLs) can be used to isolate sensitive domains to limit discovery."}]}, {"techniqueID": "T1499", "score": 4, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022amazon_virtual_private_cloud\n\u2022aws_config\n\u2022aws_shield", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "VPC security groups and network access control lists (NACLs) provides minimal protection for a majority of this control's sub-techniques and procedure examples resulting in an overall score of Minimal."}, {"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control provides minimal coverage for this technique's sub-techniques as well as its procedures, resulting in an overall score of Minimal."}, {"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from carrying out denial of service attacks by implementing restrictions on which IP addresses and domains can access the resources (e.g., allow lists) as well as which protocol traffic is permitted. That is, the AWS Network Firewall could block the source of the denial of service attack. This mapping is given a score of Partial because it only supports a subset of the sub-techniques, and because the source of the attack would have to be known before rules could be put in place to protect against it. "}, {"divider": true}, {"name": "control", "value": "aws_shield"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}]}, {"techniqueID": "T1499.001", "score": 4, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022amazon_virtual_private_cloud\n\u2022aws_config\n\u2022aws_shield", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "VPC security groups and network access control lists (NACLs) can be used to restrict access to endpoints but will prove effective at mitigating only low-end DOS attacks resulting in a Minimal score."}, {"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The \"elb-cross-zone-load-balancing-enabled\" managed rule can verify that load balancing is properly configured, which can mitigate adversaries' ability to perform Denial of Service (DoS) attacks and impact resource availability. \"cloudfront-origin-failover-enabled\" can verify that failover policies are in place to increase CloudFront content availability.\nCoverage factor is minimal for these rules, since they are specific to a subset of the available AWS services, resulting in an overall score of Minimal."}, {"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from carrying out denial of service attacks by implementing restrictions on which IP addresses and domains can access the resources (e.g., allow lists) as well as which protocol traffic is permitted. That is, the AWS Network Firewall could block the source of the denial of service attack. This mapping is given a score of Partial because the source of the attack would have to be known before rules could be put in place to protect against it. "}, {"divider": true}, {"name": "control", "value": "aws_shield"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS Shield Standard provides protection and response to these Denial of Service attacks in real time by using a network traffic baseline and identifying anomalies among other techniques. "}]}, {"techniqueID": "T1499.002", "score": 4, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022amazon_virtual_private_cloud\n\u2022aws_config\n\u2022aws_shield", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "VPC security groups and network access control lists (NACLs) can be used to restrict access to endpoints but will prove effective at mitigating only low-end DOS attacks resulting in a Minimal score."}, {"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The \"elb-cross-zone-load-balancing-enabled\" managed rule can verify that load balancing is properly configured, which can mitigate adversaries' ability to perform Denial of Service (DoS) attacks and impact resource availability. \"cloudfront-origin-failover-enabled\" can verify that failover policies are in place to increase CloudFront content availability.\nCoverage factor is minimal for these rules, since they are specific to a subset of the available AWS services, resulting in an overall score of Minimal."}, {"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from carrying out denial of service attacks by implementing restrictions on which IP addresses and domains can access the resources (e.g., allow lists) as well as which protocol traffic is permitted. That is, the AWS Network Firewall could block the source of the denial of service attack. This mapping is given a score of Partial because the source of the attack would have to be known before rules could be put in place to protect against it. "}, {"divider": true}, {"name": "control", "value": "aws_shield"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS Shield Standard provides protection and response to these Denial of Service attacks in real time by using a network traffic baseline and identifying anomalies among other techniques. "}]}, {"techniqueID": "T1499.003", "score": 4, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022amazon_virtual_private_cloud\n\u2022aws_config\n\u2022aws_shield", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "VPC security groups and network access control lists (NACLs) can be used to restrict access to endpoints but will prove effective at mitigating only low-end DOS attacks resulting in a Minimal score."}, {"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The \"elb-cross-zone-load-balancing-enabled\" managed rule can verify that load balancing is properly configured, which can mitigate adversaries' ability to perform Denial of Service (DoS) attacks and impact resource availability. \"cloudfront-origin-failover-enabled\" can verify that failover policies are in place to increase CloudFront content availability.\nCoverage factor is minimal for these rules, since they are specific to a subset of the available AWS services, resulting in an overall score of Minimal."}, {"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from carrying out denial of service attacks by implementing restrictions on which IP addresses and domains can access the resources (e.g., allow lists) as well as which protocol traffic is permitted. That is, the AWS Network Firewall could block the source of the denial of service attack. This mapping is given a score of Partial because the source of the attack would have to be known before rules could be put in place to protect against it. "}, {"divider": true}, {"name": "control", "value": "aws_shield"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS Shield Advance allows for customized detection and mitigations for custom applications that are running on EC2 instances."}]}, {"techniqueID": "T1542", "score": 2, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022amazon_virtual_private_cloud", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "VPC security groups and network access control lists (NACLs) can provide partial protection coverage of Pre-OS Boot  mechanisms that utilize TFTP boot resulting in an overall score of Minimal."}, {"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block traffic over known TFTP ports. This mapping is given a score of Minimal because AWS Network Firewall only supports a subset of sub-techniques, and it does not do anything to protect against TFTP booting among hosts within the network and behind the firewall."}]}, {"techniqueID": "T1542.005", "score": 2, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022amazon_virtual_private_cloud", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "VPC security groups and network access control lists (NACLs) can be used to restrict clients to connecting (and therefore booting) from only trusted network resources."}, {"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block traffic over known TFTP ports. This mapping is given a score of Partial because AWS Network Firewall does not do anything to protect against TFTP booting among hosts within the network and behind the firewall."}]}, {"techniqueID": "T1557", "score": 4, "comment": " Related to: \n \u2022amazon_virtual_private_cloud\n\u2022aws_rds\n\u2022aws_config\n\u2022aws_iot_device_defender", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "The VPC service's support for the AWS Virtual Private Network (VPN) can be used to encrypt traffic traversing over untrusted networks which can mitigate Man-in-the-Middle attacks that manipulate network protocol data in transit. VPC Peering can also be utilized to route traffic privately between two VPCs which can reduce the Man-in-the-Middle attack surface.  VPC Endpoints can also similarly reduce the attack surface of Man-in-the-Middle attacks by ensuring network traffic between a VPC and supported AWS services are not exposed to the Internet."}, {"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure SSL/TLS encryption is enabled to protect network traffic: \"acm-certificate-expiration-check\" for nearly expired certificates in AWS Certificate Manager (ACM); \"alb-http-to-https-redirection-check\" for Application Load Balancer (ALB) HTTP listeners; \"api-gw-ssl-enabled\" for API Gateway REST API stages; \"cloudfront-custom-ssl-certificate\", \"cloudfront-sni-enabled\", and \"cloudfront-viewer-policy-https\", for Amazon CloudFront distributions; \"elb-acm-certificate-required\", \"elb-custom-security-policy-ssl-check\", \"elb-predefined-security-policy-ssl-check\", and \"elb-tls-https-listeners-only\" for Elastic Load Balancing (ELB) Classic Load Balancer listeners; \"redshift-require-tls-ssl\" for Amazon Redshift cluster connections to SQL clients; \"s3-bucket-ssl-requests-only\" for requests for S3 bucket contents; and \"elasticsearch-node-to-node-encryption-check\" for Amazon ElasticSearch Service node-to-node communications.\nAll of these are run on configuration changes except \"alb-http-to-https-redirection-check\", which is run periodically. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and can only mitigate behavior for adversaries who are unable to decrypt the relevant traffic. This control does not provide specific coverage for this technique's sub-techniques, resulting in an overall score of Minimal."}, {"divider": true}, {"name": "control", "value": "aws_iot_device_defender"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The following AWS IoT Device Defender audit checks and corresponding mitigation actions can identify and resolve configuration problems that should be fixed in order to ensure SSL/TLS encryption is enabled and secure to protect network traffic to/from IoT devices: \"CA certificate expiring\" (\"CA_CERTIFICATE_EXPIRING_CHECK\" in the CLI and API), \"CA certificate key quality\" (\"CA_CERTIFICATE_KEY_QUALITY_CHECK\" in the CLI and API), and \"CA certificate revoked but device certificates still active\" (\"REVOKED_CA_CERTIFICATE_STILL_ACTIVE_CHECK\" in the CLI and API) can identify problems with certificate authority (CA) certificates being used for signing and support the \"UPDATE_CA_CERTIFICATE\" mitigation action which can resolve them. \"Device certificate expiring\" (\"DEVICE_CERTIFICATE_EXPIRING_CHECK\" in the CLI and API), \"Device certificate key quality\" (\"DEVICE_CERTIFICATE_KEY_QUALITY_CHECK\" in the CLI and API), \"Device certificate shared\" (\"DEVICE_CERTIFICATE_SHARED_CHECK\" in the CLI and API), and \"Revoked device certificate still active\" (\"REVOKED_DEVICE_CERTIFICATE_STILL_ACTIVE_CHECK\" in the CLI and API) can identify problems with IoT devices' certificates and support the \"UPDATE_DEVICE_CERTIFICATE\" and \"ADD_THINGS_TO_THING_GROUP\" mitigation actions which can resolve them.\nCoverage factor is partial for these checks and mitigations, since they are specific to IoT device communication and can only mitigate behavior for adversaries who are unable to decrypt the relevant traffic, resulting in an overall score of Partial. This control does not provide specific coverage for this technique's sub-techniques, resulting in an overall score of Minimal."}, {"divider": true}, {"name": "control", "value": "aws_rds"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS RDS and AWS RDS Proxy support TLS/SSL connections to database instances which protects against man-in-the-middle attacks. However, given that it does not support any sub-techniques, the mapping is given a score of Partial."}]}, {"techniqueID": "T1557.001", "score": 1, "comment": " Related to: \n \u2022amazon_virtual_private_cloud", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}]}, {"techniqueID": "T1557.002", "score": 1, "comment": " Related to: \n \u2022amazon_virtual_private_cloud", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}]}, {"techniqueID": "T1557.003", "score": 1, "comment": " Related to: \n \u2022amazon_virtual_private_cloud", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}]}, {"techniqueID": "T1565.002", "score": 2, "comment": " Related to: \n \u2022amazon_virtual_private_cloud\n\u2022aws_rds", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"divider": true}, {"name": "control", "value": "aws_rds"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS RDS supports the encryption of database instances using the AES-256 encryption algorithm. This can protect database instances from being modified at rest. Furthermore, AWS RDS supports TLS/SSL connections which protect data from being modified during transit. As a result, this mapping is given a score of Significant."}, {"divider": true}, {"name": "control", "value": "aws_rds"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS RDS supports the replication and recovery of database instances. In the event that data is manipulated, AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant."}]}, {"techniqueID": "T1570", "score": 1, "comment": " Related to: \n \u2022amazon_virtual_private_cloud", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "VPC security groups and network access control lists (NACLs) can be used to limit traffic between systems and enclaves to minimum necessary for example via a zero-trust strategy."}]}, {"techniqueID": "T1590", "score": 3, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022amazon_virtual_private_cloud\n\u2022aws_security_hub", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "VPC security groups and network access control lists (NACLs) can prevent the gathering of victim network information via (active) scanning methods but is not effective against other methods of gathering victim network information such as via Phishing or online databases (e.g. WHOIS) resulting in a Partial coverage score and an overall Partial score."}, {"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against adversaries gathering information about the network. While this mapping supports most of the sub-techniques (4 of 6), it is only given a score of Partial because it only protects against attempts to gather information via scanning that originate from outside the firewall and it does not protect against phishing. "}, {"divider": true}, {"name": "control", "value": "aws_security_hub"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. "}]}, {"techniqueID": "T1590.001", "score": 3, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022amazon_virtual_private_cloud\n\u2022aws_security_hub", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "VPC security groups and network access control lists (NACLs) can prevent the gathering of victim network information via (active) scanning methods but is not effective against other methods of gathering victim network information such as via Phishing or online databases (e.g. WHOIS) resulting in a Partial coverage score and an overall Partial score."}, {"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against adversaries gathering information about the network. This mapping is given a score of Partial because it only protects against attempts to gather information via scanning that originate from outside the firewall and it does not protect against phishing. "}, {"divider": true}, {"name": "control", "value": "aws_security_hub"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. "}]}, {"techniqueID": "T1590.004", "score": 3, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022amazon_virtual_private_cloud\n\u2022aws_security_hub", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "VPC security groups and network access control lists (NACLs) can prevent the gathering of victim network information via (active) scanning methods but is not effective against other methods of gathering victim network information such as via Phishing or online databases (e.g. WHOIS) resulting in a Partial coverage score and an overall Partial score."}, {"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against adversaries gathering information about the network. This mapping is given a score of Partial because it only protects against attempts to gather information via scanning that originate from outside the firewall and it does not protect against phishing. "}, {"divider": true}, {"name": "control", "value": "aws_security_hub"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. "}]}, {"techniqueID": "T1590.005", "score": 3, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022amazon_virtual_private_cloud\n\u2022aws_security_hub", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "VPC security groups and network access control lists (NACLs) can prevent the gathering of victim network information via (active) scanning methods but is not effective against other methods of gathering victim network information such as via Phishing or online databases (e.g. WHOIS) resulting in a Partial coverage score and an overall Partial score."}, {"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against adversaries gathering information about the network. This mapping is given a score of Partial because it only protects against attempts to gather information via scanning that originate from outside the firewall and it does not protect against phishing. "}, {"divider": true}, {"name": "control", "value": "aws_security_hub"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. "}]}, {"techniqueID": "T1590.006", "score": 3, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022amazon_virtual_private_cloud\n\u2022aws_security_hub", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "VPC security groups and network access control lists (NACLs) can prevent the gathering of victim network information via (active) scanning methods but is not effective against other methods of gathering victim network information such as via Phishing or online databases (e.g. WHOIS) resulting in a Partial coverage score and an overall Partial score."}, {"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against adversaries gathering information about the network. This mapping is given a score of Partial because it only protects against attempts to gather information via scanning that originate from outside the firewall and it does not protect against phishing. "}, {"divider": true}, {"name": "control", "value": "aws_security_hub"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. "}]}, {"techniqueID": "T1602", "score": 1, "comment": " Related to: \n \u2022amazon_virtual_private_cloud", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "VPC security groups and network access control lists (NACLs) can limit attackers' access to configuration repositories such as SNMP management stations, or to dumps of client configurations from common management ports."}]}, {"techniqueID": "T1602.001", "score": 1, "comment": " Related to: \n \u2022amazon_virtual_private_cloud", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Can limit access to client management interfaces or configuration databases."}]}, {"techniqueID": "T1602.002", "score": 1, "comment": " Related to: \n \u2022amazon_virtual_private_cloud", "metadata": [{"divider": true}, {"name": "control", "value": "amazon_virtual_private_cloud"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Can limit access to client management interfaces or configuration databases."}]}, {"techniqueID": "T1490", "score": 2, "comment": " Related to: \n \u2022aws_cloudendure_disaster_recovery\n\u2022aws_rds", "metadata": [{"divider": true}, {"name": "control", "value": "aws_cloudendure_disaster_recovery"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that servers are modified to disrupt recovery, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant."}, {"divider": true}, {"name": "control", "value": "aws_rds"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS RDS generates events for database instances and includes the following event that may indicate that an adversary has attempted to inhibit system recovery.\nRDS-EVENT-0028: Automatic backups for this DB instance have been disabled\nThis mapping is given a score of Partial because it can't differentiate between an authorized and unauthorized disabling of automatic backups.\n"}, {"divider": true}, {"name": "control", "value": "aws_rds"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS RDS supports the replication and recovery of database instances. In the event that a database instance is compromised and modified to disrupt recovery, AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant."}]}, {"techniqueID": "T1561", "score": 2, "comment": " Related to: \n \u2022aws_cloudendure_disaster_recovery\n\u2022aws_rds", "metadata": [{"divider": true}, {"name": "control", "value": "aws_cloudendure_disaster_recovery"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that server disks are wiped, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. This mapping is given a score of Significant because it supports all of the sub-techniques (2 of 2)."}, {"divider": true}, {"name": "control", "value": "aws_rds"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "AWS RDS supports the replication and recovery of database instances. In the event that a database instance is deleted during a disk wipe, AWS RDS can be used to restore the database instance to a previous point in time. However, this mapping is only given a score of Minimal because AWS RDS only provides a backup of the database instance and not the underlying system that it is hosted on."}]}, {"techniqueID": "T1561.001", "score": 2, "comment": " Related to: \n \u2022aws_cloudendure_disaster_recovery\n\u2022aws_rds", "metadata": [{"divider": true}, {"name": "control", "value": "aws_cloudendure_disaster_recovery"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that server disks are wiped, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant."}, {"divider": true}, {"name": "control", "value": "aws_rds"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "AWS RDS supports the replication and recovery of database instances. In the event that a database instance is deleted during a disk wipe, AWS RDS can be used to restore the database instance to a previous point in time. However, this mapping is only given a score of Partial because AWS RDS only provides a backup of the database instance and not the underlying system that it is hosted on."}]}, {"techniqueID": "T1561.002", "score": 2, "comment": " Related to: \n \u2022aws_cloudendure_disaster_recovery\n\u2022aws_rds", "metadata": [{"divider": true}, {"name": "control", "value": "aws_cloudendure_disaster_recovery"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that server disks are wiped, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant."}, {"divider": true}, {"name": "control", "value": "aws_rds"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "AWS RDS supports the replication and recovery of database instances. In the event that a database instance is deleted during a disk wipe, AWS RDS can be used to restore the database instance to a previous point in time. However, this mapping is only given a score of Partial because AWS RDS only provides a backup of the database instance and not the underlying system that it is hosted on."}]}, {"techniqueID": "T1552.004", "score": 4, "comment": " Related to: \n \u2022aws_key_management_service\n\u2022aws_secrets_manager\n\u2022aws_cloudhsm\n\u2022aws_iot_device_defender", "metadata": [{"divider": true}, {"name": "control", "value": "aws_cloudhsm"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "This service allows for securely storing encryption keys and enforcing fine-grained access to the keys. The service does not allow anyone access to retrieve plaintext keys from the service."}, {"divider": true}, {"name": "control", "value": "aws_iot_device_defender"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following AWS IoT Device Defender audit checks can identify potentially malicious use of private keys associated with AWS IoT devices, which may indicate that the keys have been taken from compromised devices and repurposed by an adversary: \"Device certificate shared\" (\"DEVICE_CERTIFICATE_SHARED_CHECK\" in the CLI and API) and \"Revoked device certificate still active\" (\"REVOKED_DEVICE_CERTIFICATE_STILL_ACTIVE_CHECK\" in the CLI and API) can indicate that devices are in use with duplicate certificates and/or certificates that have been revoked due to compromise, both of which suggest that an adversary may be misusing stolen private keys.\nCoverage factor is partial for these checks and mitigations, since they are specific to use of private keys associated with AWS IoT devices, resulting in an overall score of Partial."}, {"divider": true}, {"name": "control", "value": "aws_key_management_service"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "This service allows for securely storing encryption keys and enforcing fine-grained access to the keys. The service does not allow anyone access to retrieve plaintext keys from the service."}, {"divider": true}, {"name": "control", "value": "aws_secrets_manager"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control may prevent harvesting of unsecured credentials by removing credentials and secrets from applications and configuration files and requiring authenticated API calls to retrieve those credentials and secrets. This control is relevant for credentials stored in applications or configuration files but not credentials entered directly by a user."}]}, {"techniqueID": "T1553", "score": 1, "comment": " Related to: \n \u2022aws_cloudhsm", "metadata": [{"divider": true}, {"name": "control", "value": "aws_cloudhsm"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This service provides protection against sub-techniques involved with stealing credentials, certificates, and keys from the organization."}]}, {"techniqueID": "T1553.002", "score": 1, "comment": " Related to: \n \u2022aws_cloudhsm", "metadata": [{"divider": true}, {"name": "control", "value": "aws_cloudhsm"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Use cases in documentation show that certificate credentials can be stored in AWS CloudHSM which reduces the attack surface and threat from these sub-techniques."}]}, {"techniqueID": "T1553.004", "score": 1, "comment": " Related to: \n \u2022aws_cloudhsm", "metadata": [{"divider": true}, {"name": "control", "value": "aws_cloudhsm"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Use cases in documentation show that certificate credentials can be stored in AWS CloudHSM which reduces the attack surface and threat from these sub-techniques."}]}, {"techniqueID": "T1588", "score": 2, "comment": " Related to: \n \u2022aws_key_management_service\n\u2022aws_cloudhsm", "metadata": [{"divider": true}, {"name": "control", "value": "aws_cloudhsm"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This service provides protection against sub-techniques involved with stealing credentials, certificates, keys from the organization."}, {"divider": true}, {"name": "control", "value": "aws_key_management_service"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Provides protection against sub-techniques involved with stealing credentials, certificates, and keys from the organization. As documented, access can be provisioned and monitored."}]}, {"techniqueID": "T1588.003", "score": 2, "comment": " Related to: \n \u2022aws_key_management_service\n\u2022aws_cloudhsm", "metadata": [{"divider": true}, {"name": "control", "value": "aws_cloudhsm"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Certificate credentials can be stored in AWS CloudHSM which reduces the attack surface and threat from these sub-techniques."}, {"divider": true}, {"name": "control", "value": "aws_key_management_service"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The encryption key for the certificate can be stored in KMS, reducing its attack surface. Score is capped at Partial because adversaries can still misuse keys/certs if KMS and KMS resources are compromised."}]}, {"techniqueID": "T1588.004", "score": 2, "comment": " Related to: \n \u2022aws_key_management_service\n\u2022aws_cloudhsm", "metadata": [{"divider": true}, {"name": "control", "value": "aws_cloudhsm"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Certificate credentials can be stored in AWS CloudHSM which reduces the attack surface and threat from these sub-techniques."}, {"divider": true}, {"name": "control", "value": "aws_key_management_service"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The encryption key for the certificate can be stored in KMS, reducing its attack surface. Score is capped at Partial because adversaries can still misuse keys/certs if KMS and KMS resources are compromised."}]}, {"techniqueID": "T1610", "score": 2, "comment": " Related to: \n \u2022aws_config\n\u2022aws_cloudwatch", "metadata": [{"divider": true}, {"name": "control", "value": "aws_cloudwatch"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS CloudWatch provides various metrics including CPU utilization, connections, disk space, memory, bytes sent/received, and the number of running containers among others. The following metric could be used to detect if an adversary deployed a new container in the environment. \nnode_number_of_running_containers\nThis mapping is given a score of Partial because it is not possible to differentiate between an authorized and unauthorized deployment of a new container.  "}, {"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The \"eks-endpoint-no-public-access\" managed rule can identify whether Amazon Elastic Kubernetes Service (Amazon EKS) endpoints are misconfigured to allow public endpoint access, which should be fixed in order to prevent malicious external access to the Kubernetes API server, including malicious attempts to deploy containers. It is run periodically and only provides partial coverage because it is specific to public access, resulting in an overall score of Partial."}]}, {"techniqueID": "T1654", "score": 1, "comment": " Related to: \n \u2022aws_cloudwatch", "metadata": [{"divider": true}, {"name": "control", "value": "aws_cloudwatch"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "CloudWatch can be configured to alarm for monitoring the \"aws-collect-system-logs\" command which could detect this technique. However, this command is often used for diagnostics and may lead to false positives."}]}, {"techniqueID": "T1020.001", "score": 2, "comment": " Related to: \n \u2022aws_config\n\u2022aws_iot_device_defender", "metadata": [{"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure SSL/TLS encryption is enabled to protect network traffic: \"acm-certificate-expiration-check\" for nearly expired certificates in AWS Certificate Manager (ACM); \"alb-http-to-https-redirection-check\" for Application Load Balancer (ALB) HTTP listeners; \"api-gw-ssl-enabled\" for API Gateway REST API stages; \"cloudfront-custom-ssl-certificate\", \"cloudfront-sni-enabled\", and \"cloudfront-viewer-policy-https\", for Amazon CloudFront distributions; \"elb-acm-certificate-required\", \"elb-custom-security-policy-ssl-check\", \"elb-predefined-security-policy-ssl-check\", and \"elb-tls-https-listeners-only\" for Elastic Load Balancing (ELB) Classic Load Balancer listeners; \"redshift-require-tls-ssl\" for Amazon Redshift cluster connections to SQL clients; \"s3-bucket-ssl-requests-only\" for requests for S3 bucket contents; and \"elasticsearch-node-to-node-encryption-check\" for Amazon ElasticSearch Service node-to-node communications.\nAll of these are run on configuration changes except \"alb-http-to-https-redirection-check\", which is run periodically. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and can only mitigate behavior for adversaries who are unable to decrypt the relevant traffic, resulting in an overall score of Partial."}, {"divider": true}, {"name": "control", "value": "aws_iot_device_defender"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following AWS IoT Device Defender audit checks and corresponding mitigation actions can identify and resolve configuration problems that should be fixed in order to ensure SSL/TLS encryption is enabled and secure to protect network traffic to/from IoT devices: \"CA certificate expiring\" (\"CA_CERTIFICATE_EXPIRING_CHECK\" in the CLI and API), \"CA certificate key quality\" (\"CA_CERTIFICATE_KEY_QUALITY_CHECK\" in the CLI and API), and \"CA certificate revoked but device certificates still active\" (\"REVOKED_CA_CERTIFICATE_STILL_ACTIVE_CHECK\" in the CLI and API) can identify problems with certificate authority (CA) certificates being used for signing and support the \"UPDATE_CA_CERTIFICATE\" mitigation action which can resolve them. \"Device certificate expiring\" (\"DEVICE_CERTIFICATE_EXPIRING_CHECK\" in the CLI and API), \"Device certificate key quality\" (\"DEVICE_CERTIFICATE_KEY_QUALITY_CHECK\" in the CLI and API), \"Device certificate shared\" (\"DEVICE_CERTIFICATE_SHARED_CHECK\" in the CLI and API), and \"Revoked device certificate still active\" (\"REVOKED_DEVICE_CERTIFICATE_STILL_ACTIVE_CHECK\" in the CLI and API) can identify problems with IoT devices' certificates and support the \"UPDATE_DEVICE_CERTIFICATE\" and \"ADD_THINGS_TO_THING_GROUP\" mitigation actions which can resolve them.\nCoverage factor is partial for these checks and mitigations, since they are specific to IoT device communication and can only mitigate behavior for adversaries who are unable to decrypt the relevant traffic, resulting in an overall score of Partial."}]}, {"techniqueID": "T1053.007", "score": 1, "comment": " Related to: \n \u2022aws_config", "metadata": [{"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The \"eks-endpoint-no-public-access\" managed rule can identify whether Amazon Elastic Kubernetes Service (Amazon EKS) endpoints are misconfigured to allow public endpoint access, which should be fixed in order to prevent malicious external access to the Kubernetes API server, including malicious attempts to create or modify orchestration jobs. It is run periodically and only provides partial coverage because it is specific to public access, resulting in an overall score of Partial."}]}, {"techniqueID": "T1098.005", "score": 2, "comment": " Related to: \n \u2022aws_identity_and_access_management\n\u2022aws_config", "metadata": [{"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure multi-factor authentication (MFA) is enabled properly, which can provide protection against attempted device registration: \"iam-user-mfa-enabled\", \"mfa-enabled-for-iam-console-access\", \"root-account-hardware-mfa-enabled\", and \"root-account-mfa-enabled\". All of these controls are run periodically and provide partial coverage, since adversaries may be able to register devices via other mechanisms, resulting in an overall score of Partial."}, {"divider": true}, {"name": "control", "value": "aws_identity_and_access_management"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The IAM MFA fields can provide data on device registration to help detect unexpected registrations."}]}, {"techniqueID": "T1119", "score": 1, "comment": " Related to: \n \u2022aws_config", "metadata": [{"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that storage volumes are encrypted, which may mitigate adversary attempts to automate collection within cloud environments: \"ec2-ebs-encryption-by-default\" which is run periodically and \"encrypted-volumes\" which is run on configuration changes.\nCoverage factor is minimal for these rules, since they are specific to EBS volumes and will only prevent certain forms of collection since adversaries with access to mounted volumes may be able to decrypt their contents, resulting in an overall score of Minimal."}]}, {"techniqueID": "T1136", "score": 1, "comment": " Related to: \n \u2022aws_config", "metadata": [{"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control provides partial coverage for one of this technique's sub-techniques, resulting in an overall score of Minimal."}]}, {"techniqueID": "T1136.003", "score": 1, "comment": " Related to: \n \u2022aws_config", "metadata": [{"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure multi-factor authentication (MFA) is enabled properly, which can provide significant protection against attempted manipulation of cloud accounts, including the creation of new ones: \"iam-user-mfa-enabled\", \"mfa-enabled-for-iam-console-access\", \"root-account-hardware-mfa-enabled\", and \"root-account-mfa-enabled\". All of these controls are run periodically and provide partial coverage, since adversaries may be able to create cloud credentials via other mechanisms, resulting in an overall score of Partial."}]}, {"techniqueID": "T1204", "score": 1, "comment": " Related to: \n \u2022aws_config", "metadata": [{"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control provides significant coverage for one of this technique's sub-techniques, resulting in an overall score of Minimal."}]}, {"techniqueID": "T1204.003", "score": 1, "comment": " Related to: \n \u2022aws_config", "metadata": [{"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "The following AWS Config managed rules can identify running instances that are not using AMIs within a specified allow list: \"approved-amis-by-id\" and \"approved-amis-by-tag\", both of which are run on configuration changes. They provide significant coverage, resulting in an overall score of Significant."}]}, {"techniqueID": "T1499.004", "score": 1, "comment": " Related to: \n \u2022aws_config", "metadata": [{"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The \"elb-cross-zone-load-balancing-enabled\" managed rule can verify that load balancing is properly configured, which can mitigate adversaries' ability to perform Denial of Service (DoS) attacks and impact resource availability. \"cloudfront-origin-failover-enabled\" can verify that failover policies are in place to increase CloudFront content availability.\nCoverage factor is minimal for these rules, since they are specific to a subset of the available AWS services, resulting in an overall score of Minimal."}]}, {"techniqueID": "T1525", "score": 1, "comment": " Related to: \n \u2022aws_config", "metadata": [{"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The following AWS Config managed rules can identify running instances that are not using AMIs within a specified allow list: \"approved-amis-by-id\" and \"approved-amis-by-tag\", both of which are run on configuration changes. This does not provide detection of the image implanting itself, but does provide detection for any subsequent use of images that are implanted and not present within the allow list, resulting in a score of Minimal."}]}, {"techniqueID": "T1538", "score": 2, "comment": " Related to: \n \u2022aws_config\n\u2022aws_organizations", "metadata": [{"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "The \"mfa-enabled-for-iam-console-access\" managed rule checks whether multi-factor authentication is enabled for all AWS IAM users that use a console password, protecting against misuse of those accounts' dashboard access. It is run periodically, and provides significant coverage, resulting in an overall score of Significant."}, {"divider": true}, {"name": "control", "value": "aws_organizations"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control may protect against cloud service dashboard abuse by segmenting accounts into separate organizational units and restricting dashboard access by least privilege."}]}, {"techniqueID": "T1552.007", "score": 1, "comment": " Related to: \n \u2022aws_config", "metadata": [{"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The \"eks-endpoint-no-public-access\" managed rule can identify whether Amazon Elastic Kubernetes Service (Amazon EKS) endpoints are misconfigured to allow public endpoint access, which should be fixed in order to prevent malicious external access to the Kubernetes API server, including malicious attempts to gather credentials via the API. The \"eks-secrets-encrypted\" managed rule can identify configuration problems that should be fixed in order to ensure that Kubernetes secrets (including those containing credentials) are encrypted to prevent malicious access. Both controls are run periodically and only provide partial coverage because they are specific to public access and adversaries without the ability to decrypt secrets, respectively, resulting in an overall score of Partial."}]}, {"techniqueID": "T1562.007", "score": 2, "comment": " Related to: \n \u2022aws_security_hub\n\u2022aws_config", "metadata": [{"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "The following AWS Config managed rules can identify potentially malicious changes to cloud firewall status and ensure that a WAF is enabled and enforcing specified ACLs: \"lab-waf-enabled\" for Application Load Balancers; \"api-gw-associated-with-waf\" for Amazon API Gateway API stages; \"cloudfront-associated-with-waf\" for Amazon CloudFront distributions; \"fms-webacl-resource-policy-check\", \"fms-webacl-resource-policy-check\", and \"fms-webacl-rulegroup-association-check\" for AWS Firewall Manager; \"vpc-default-security-group-closed\", \"vpc-network-acl-unused-check\", and \"vpc-sg-open-only-to-authorized-ports\" for VPC security groups; and \"ec2-security-group-attached-to-eni\" for EC2 and ENI security groups; all of which are run on configuration changes.\nThe following AWS Config managed rules can identify specific configuration changes to VPC configuration that may suggest malicious modification to bypass protections: \"internet-gateway-authorized-vpc-only\" can identify Internet gateways (IGWs) attached to unauthorized VPCs, which can allow unwanted communication between a VPC and the Internet; \"lambda-inside-vpc\" can identify VPCs that have granted execution access to unauthorized Lambda functions; \"service-vpc-endpoint-enabled\" can verify that endpoints are active for the appropriate services across VPCs; \"subnet-auto-assign-public-ip-disabled\" checks for public IP addresses assigned to subnets within VPCs.\nCoverage factor is significant for these rules, since they cover firewall configuration for and via a wide range of services, resulting in an overall score of Significant."}, {"divider": true}, {"name": "control", "value": "aws_security_hub"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS Security Hub performs checks from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting changes to key AWS services. AWS Security Hub provides these detections with the following checks.\n3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes 3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes 3.10 Ensure a log metric filter and alarm exist for security group changes 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)  3.12 Ensure a log metric filter and alarm exist for changes to network gateways  3.13 Ensure a log metric filter and alarm exist for route table changes 3.14 Ensure a log metric filter and alarm exist for VPC changes\nThis is scored as Significant because it can detect when changes are made to key AWS services (e.g., CloudTrail, Config, etc.) such as when they stop logging or other configuration changes are made.  "}]}, {"techniqueID": "T1578.005", "score": 1, "comment": " Related to: \n \u2022aws_config", "metadata": [{"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Config managed rules can periodically evaluate resource configurations to provide partial detection coverage for Cloud Compute Configuration changes."}]}, {"techniqueID": "T1609", "score": 1, "comment": " Related to: \n \u2022aws_config", "metadata": [{"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The \"eks-endpoint-no-public-access\" managed rule can identify whether Amazon Elastic Kubernetes Service (Amazon EKS) endpoints are misconfigured to allow public endpoint access, which should be fixed in order to prevent malicious external access to the Kubernetes API server, including malicious attempts to execute commands via the API. It is run periodically and only provides partial coverage because it is specific to public access, resulting in an overall score of Partial."}]}, {"techniqueID": "T1611", "score": 1, "comment": " Related to: \n \u2022aws_config", "metadata": [{"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The \"ecs-task-definition-user-for-host-mode-check\" managed rule can identify Amazon Elastic Container Service (ECS) task definitions for containers with host networking mode and 'privileged' or 'user' container definitions, which may enable adversaries to break out of containers and gain access to the underlying host. It is run on configuration changes. Coverage is partial, since adversaries may find other means to escape a container to the underlying host, resulting in an overall score of Partial."}]}, {"techniqueID": "T1613", "score": 1, "comment": " Related to: \n \u2022aws_config", "metadata": [{"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The \"eks-endpoint-no-public-access\" managed rule can identify whether Amazon Elastic Kubernetes Service (Amazon EKS) endpoints are misconfigured to allow public endpoint access, which should be fixed in order to prevent malicious external access to the Kubernetes API server, including malicious attempts to discover containers and other resources. It is run periodically and only provides partial coverage because it is specific to public access, resulting in an overall score of Partial."}]}, {"techniqueID": "T1651", "score": 3, "comment": " Related to: \n \u2022aws_security_hub\n\u2022aws_config\n\u2022aws_organizations", "metadata": [{"divider": true}, {"name": "control", "value": "aws_config"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "The \"mfa-enabled-for-iam-console-access\" managed rule checks whether multi-factor authentication is enabled for all AWS IAM users,vprotecting against misuse of those accounts' access to Amazon System Manager and the ability to run cloud administration commands. It is run periodically, and provides significant coverage, resulting in an overall score of Significant."}, {"divider": true}, {"name": "control", "value": "aws_organizations"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control may protect against cloud administration command abuse by segmenting accounts into separate organizational units and restricting Amazon Security Manager access by least privilege."}, {"divider": true}, {"name": "control", "value": "aws_security_hub"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Security Hub controls for System Manager can be configured to prevent unauthorized Cloud Administration Commands from being executed."}]}, {"techniqueID": "T1528", "score": 2, "comment": " Related to: \n \u2022aws_identity_and_access_management\n\u2022aws_secrets_manager", "metadata": [{"divider": true}, {"name": "control", "value": "aws_identity_and_access_management"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control may mitigate against application access token theft if the application is configured to retrieve temporary security credentials using an IAM role. This recommendation is a best practice for IAM but must be explicitly implemented by the application developer."}, {"divider": true}, {"name": "control", "value": "aws_secrets_manager"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control may prevent theft of application access tokens by replacing those tokens with authenticated and encrypted API calls to AWS Secrets Manager. This control is relevant for credentials stored in applications or configuration files but not credentials entered directly by a user."}]}, {"techniqueID": "T1548.005", "score": 1, "comment": " Related to: \n \u2022aws_identity_and_access_management", "metadata": [{"divider": true}, {"name": "control", "value": "aws_identity_and_access_management"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Identity and Access Management (IAM) policy variables can limit actions based on specific variables such as ip address or username and can provide protection from unauthorized temporary elevated cloud access."}]}, {"techniqueID": "T1550", "score": 1, "comment": " Related to: \n \u2022aws_identity_and_access_management", "metadata": [{"divider": true}, {"name": "control", "value": "aws_identity_and_access_management"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}]}, {"techniqueID": "T1550.001", "score": 1, "comment": " Related to: \n \u2022aws_identity_and_access_management", "metadata": [{"divider": true}, {"name": "control", "value": "aws_identity_and_access_management"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control may mitigate against application access token theft if the application is configured to retrieve temporary security credentials using an IAM role. This recommendation is a best practice for IAM but must be explicitly implemented by the application developer. "}]}, {"techniqueID": "T1621", "score": 1, "comment": " Related to: \n \u2022aws_identity_and_access_management", "metadata": [{"divider": true}, {"name": "control", "value": "aws_identity_and_access_management"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS Identity and Access Management can be configured to lock at user out after repeated Multi-Factor Authentication requests."}]}, {"techniqueID": "T1648", "score": 1, "comment": " Related to: \n \u2022aws_identity_and_access_management", "metadata": [{"divider": true}, {"name": "control", "value": "aws_identity_and_access_management"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Identity and Access Management variables can be used to allow or deny malicious severless execution behavior based on variables like aws:SourceIp and aws:username."}]}, {"techniqueID": "T1104", "score": 1, "comment": " Related to: \n \u2022aws_network_firewall", "metadata": [{"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block communication with known command and control channels by filtering based on known bad IP addresses and domains. This mapping is given a score of Partial because it only protects against known channels and not channels yet to be identified. "}]}, {"techniqueID": "T1187", "score": 1, "comment": " Related to: \n \u2022aws_network_firewall", "metadata": [{"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block SMB and WebDAV traffic from exiting the network which can protect against adversaries from forcing authentication over SMB and WebDAV. This mapping is given a score of Significant because AWS Network Firewall can block this traffic or restrict where it can go to. "}]}, {"techniqueID": "T1205.002", "score": 1, "comment": " Related to: \n \u2022aws_network_firewall", "metadata": [{"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Network Firewall can be used to block traffic to unused ports from reaching hosts on the network which may help protect against traffic signaling from external systems. This mapping is given a score of partial because the AWS Network Firewall does not do anything to protect against traffic signaling among hosts within the network and behind the firewall."}]}, {"techniqueID": "T1572", "score": 1, "comment": " Related to: \n \u2022aws_network_firewall", "metadata": [{"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block traffic from known bad IP addresses and domains which could protect against protocol tunneling by adversaries. This mapping is given a score of partial because it only blocks known bad IP addresses and domains and does not protect against unknown ones."}]}, {"techniqueID": "T1589", "score": 2, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022aws_security_hub", "metadata": [{"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Network Firewall inspects inbound traffic flows and provides outbound traffic filtering. The capability has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. It is given a score of Partial because it only protects against attempts to gather information via scanning that originate from outside the firewall and it does not protect against phishing. "}, {"divider": true}, {"name": "control", "value": "aws_security_hub"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. "}]}, {"techniqueID": "T1589.001", "score": 2, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022aws_security_hub", "metadata": [{"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "AWS Network Firewall inspects inbound traffic flows and provides outbound traffic filtering. The capability has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. It is given a score of Minimal because much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders."}, {"divider": true}, {"name": "control", "value": "aws_security_hub"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. "}]}, {"techniqueID": "T1589.002", "score": 2, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022aws_security_hub", "metadata": [{"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Network Firewall inspects inbound traffic flows and provides outbound traffic filtering. The capability has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. It is given a score of Partial because it only protects against attempts to gather information via scanning that originate from outside the firewall and it does not protect against phishing. "}, {"divider": true}, {"name": "control", "value": "aws_security_hub"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. "}]}, {"techniqueID": "T1589.003", "score": 2, "comment": " Related to: \n \u2022aws_network_firewall\n\u2022aws_security_hub", "metadata": [{"divider": true}, {"name": "control", "value": "aws_network_firewall"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "AWS Network Firewall inspects inbound traffic flows and provides outbound traffic filtering. The capability has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload.It is given a score of Minimal because much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders."}, {"divider": true}, {"name": "control", "value": "aws_security_hub"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. "}]}, {"techniqueID": "T1087", "score": 1, "comment": " Related to: \n \u2022aws_organizations", "metadata": [{"divider": true}, {"name": "control", "value": "aws_organizations"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control may protect against cloud account discovery but does not mitigate against other forms of account discovery."}]}, {"techniqueID": "T1087.004", "score": 1, "comment": " Related to: \n \u2022aws_organizations", "metadata": [{"divider": true}, {"name": "control", "value": "aws_organizations"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control may protect against cloud account discovery by segmenting accounts into separate organizational units and restricting to least privileges between groups. "}]}, {"techniqueID": "T1552.002", "score": 1, "comment": " Related to: \n \u2022aws_secrets_manager", "metadata": [{"divider": true}, {"name": "control", "value": "aws_secrets_manager"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control may prevent harvesting of unsecured credentials by removing credentials and secrets from applications and configuration files and requiring authenticated API calls to retrieve those credentials and secrets. This control is relevant for credentials stored in applications or configuration files but not credentials entered directly by a user."}]}, {"techniqueID": "T1555", "score": 1, "comment": " Related to: \n \u2022aws_secrets_manager", "metadata": [{"divider": true}, {"name": "control", "value": "aws_secrets_manager"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control may prevent harvesting of credentials from password stores by providing a secure, finely controlled location for secrets storage. This control is only relevant for credentials that would be used from application and configuration files and not those entered directly by an end user."}]}, {"techniqueID": "T1555.006", "score": 1, "comment": " Related to: \n \u2022aws_secrets_manager", "metadata": [{"divider": true}, {"name": "control", "value": "aws_secrets_manager"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control may prevent harvesting of credentials from password stores by providing a secure, finely controlled location for secrets storage. This control is only relevant for credentials that would be used from application and configuration files and not those entered directly by an end user."}]}, {"techniqueID": "T1543.005", "score": 1, "comment": " Related to: \n \u2022aws_security_hub", "metadata": [{"divider": true}, {"name": "control", "value": "aws_security_hub"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "AWS Security Hub offers controls for Amazon Elastic Container Service (ECS). There are a variety of ECS security controls available, resulting in a score of Significant."}]}, {"techniqueID": "T1590.002", "score": 1, "comment": " Related to: \n \u2022aws_security_hub", "metadata": [{"divider": true}, {"name": "control", "value": "aws_security_hub"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. "}]}, {"techniqueID": "T1590.003", "score": 1, "comment": " Related to: \n \u2022aws_security_hub", "metadata": [{"divider": true}, {"name": "control", "value": "aws_security_hub"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. "}]}, {"techniqueID": "T1591", "score": 1, "comment": " Related to: \n \u2022aws_security_hub", "metadata": [{"divider": true}, {"name": "control", "value": "aws_security_hub"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. "}]}, {"techniqueID": "T1591.001", "score": 1, "comment": " Related to: \n \u2022aws_security_hub", "metadata": [{"divider": true}, {"name": "control", "value": "aws_security_hub"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. "}]}, {"techniqueID": "T1591.002", "score": 1, "comment": " Related to: \n \u2022aws_security_hub", "metadata": [{"divider": true}, {"name": "control", "value": "aws_security_hub"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. "}]}, {"techniqueID": "T1591.003", "score": 1, "comment": " Related to: \n \u2022aws_security_hub", "metadata": [{"divider": true}, {"name": "control", "value": "aws_security_hub"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. "}]}, {"techniqueID": "T1591.004", "score": 1, "comment": " Related to: \n \u2022aws_security_hub", "metadata": [{"divider": true}, {"name": "control", "value": "aws_security_hub"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. "}]}, {"techniqueID": "T1592", "score": 1, "comment": " Related to: \n \u2022aws_security_hub", "metadata": [{"divider": true}, {"name": "control", "value": "aws_security_hub"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. "}]}, {"techniqueID": "T1592.001", "score": 1, "comment": " Related to: \n \u2022aws_security_hub", "metadata": [{"divider": true}, {"name": "control", "value": "aws_security_hub"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. "}]}, {"techniqueID": "T1592.002", "score": 1, "comment": " Related to: \n \u2022aws_security_hub", "metadata": [{"divider": true}, {"name": "control", "value": "aws_security_hub"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. "}]}, {"techniqueID": "T1592.003", "score": 1, "comment": " Related to: \n \u2022aws_security_hub", "metadata": [{"divider": true}, {"name": "control", "value": "aws_security_hub"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. "}]}, {"techniqueID": "T1592.004", "score": 1, "comment": " Related to: \n \u2022aws_security_hub", "metadata": [{"divider": true}, {"name": "control", "value": "aws_security_hub"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. "}]}, {"techniqueID": "T1078.002", "score": 1, "comment": " Related to: \n \u2022aws_single_sign-on", "metadata": [{"divider": true}, {"name": "control", "value": "aws_single_sign-on"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control may protect against malicious use of valid accounts by implementing fine grained and least privilege access through use of permission sets (a collection of administrator-defined policies that AWS SSO uses to determine a user's effective permissions to access a given AWS account). The ability to reduce the set of credentials and accounts needed for a user allows for simpler and safer access and privilege management."}]}, {"techniqueID": "T1059", "score": 1, "comment": " Related to: \n \u2022aws_web_application_firewall", "metadata": [{"divider": true}, {"name": "control", "value": "aws_web_application_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The AWS WAF protects web applications from injection attacks that leverage command and scripting interpreters. AWS WAF provides this protection via the following rule sets that block malicious traffic across a variety of operating systems and applications: AWSManagedRulesCommonRuleSet AWSManagedRulesSQLiRuleSet  AWSManagedRulesUnixRuleSet  AWSManagedRulesWindowsRuleSet AWSManagedRulesPHPRuleSet  AWSManagedRulesWordPressRuleSet\nThis is given a score of Partial (instead of Minimal) because while it only protects against a subset of sub-techniques, it does provide protections for command and scripting interpreters that do not have sub-techniques (SQL, PHP, etc.). Furthermore, it blocks the malicious content in near real-time."}]}, {"techniqueID": "T1059.001", "score": 1, "comment": " Related to: \n \u2022aws_web_application_firewall", "metadata": [{"divider": true}, {"name": "control", "value": "aws_web_application_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "The AWS WAF protects web applications from injection attacks that leverage command and scripting interpreters. AWS WAF provides this protection via the following rule sets that block malicious traffic across a variety of operating systems and applications.\nAWSManagedRulesCommonRuleSet AWSManagedRulesSQLiRuleSet  AWSManagedRulesUnixRuleSet  AWSManagedRulesWindowsRuleSet AWSManagedRulesPHPRuleSet  AWSManagedRulesWordPressRuleSet\nThis is given a score of Significant because it provides protections for PowerShell, Unix, and JavaScript command and scripting interpreters by blocking the malicious content in near real-time."}]}, {"techniqueID": "T1059.004", "score": 1, "comment": " Related to: \n \u2022aws_web_application_firewall", "metadata": [{"divider": true}, {"name": "control", "value": "aws_web_application_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "The AWS WAF protects web applications from injection attacks that leverage command and scripting interpreters. AWS WAF provides this protection via the following rule sets that block malicious traffic across a variety of operating systems and applications.\nAWSManagedRulesCommonRuleSet AWSManagedRulesSQLiRuleSet  AWSManagedRulesUnixRuleSet  AWSManagedRulesWindowsRuleSet AWSManagedRulesPHPRuleSet  AWSManagedRulesWordPressRuleSet\nThis is given a score of Significant because it provides protections for PowerShell, Unix, and JavaScript command and scripting interpreters by blocking the malicious content in near real-time."}]}, {"techniqueID": "T1059.007", "score": 1, "comment": " Related to: \n \u2022aws_web_application_firewall", "metadata": [{"divider": true}, {"name": "control", "value": "aws_web_application_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "The AWS WAF protects web applications from injection attacks that leverage command and scripting interpreters. AWS WAF provides this protection via the following rule sets that block malicious traffic across a variety of operating systems and applications.\nAWSManagedRulesCommonRuleSet AWSManagedRulesSQLiRuleSet  AWSManagedRulesUnixRuleSet  AWSManagedRulesWindowsRuleSet AWSManagedRulesPHPRuleSet  AWSManagedRulesWordPressRuleSet\nThis is given a score of Significant because it provides protections for PowerShell, Unix, and JavaScript command and scripting interpreters by blocking the malicious content in near real-time."}]}, {"techniqueID": "T1595.003", "score": 1, "comment": " Related to: \n \u2022aws_web_application_firewall", "metadata": [{"divider": true}, {"name": "control", "value": "aws_web_application_firewall"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against active scanning. This mapping is given a score of Partial because it only protects against active scanning attacks that originate from outside the firewall and not from within network protected by the firewall. "}]}, {"techniqueID": null, "score": 10, "comment": " Related to: \n \u2022amazon_macie\n\u2022aws_certificate_manager\n\u2022aws_audit_manager\n\u2022aws_directory_service\n\u2022amazon_detective\n\u2022aws_artifact\n\u2022aws_firewall_manager\n\u2022aws_cloudtrail\n\u2022aws_resource_access_manager\n\u2022aws_security_lake", "metadata": []}], "gradient": {"colors": ["#ffe766", "#ffaf66"], "minValue": 1, "maxValue": 10}}