AWS MAPPINGS

Amazon Web Services (AWS) is a widely used cloud computing platform. This project maps the security controls native to the (AWS) platform to MITRE ATT&CK®, providing resources to assess how to protect, detect, and respond to real-world threats as described in the ATT&CK knowledge base.

AWS Versions: 12.12.2024, 09.21.2021 ATT&CK Versions: 16.1, 9.0 ATT&CK Domain: Enterprise

Security Stack Mapping Methodology

SELECT VERSIONS

AWS Version

ATT&CK Version

ATT&CK Domain

Capability Groups

ID Capability Group Name Number of Mappings Number of Capabilities
aws_rds AWS RDS 24 1
aws_config AWS Config 58 1
aws_s3 AWS S3 2 1
amazon_guardduty Amazon GuardDuty 69 1
aws_shield AWS Shield 7 1
aws_iot_device_defender AWS IoT Device Defender 24 1
aws_organizations AWS Organizations 7 1
aws_cloudendure_disaster_recovery AWS CloudEndure Disaster Recovery 12 1
aws_key_management_service AWS Key Management Service 6 1
amazon_inspector Amazon Inspector 52 1
amazon_virtual_private_cloud Amazon Virtual Private Cloud 55 1
amazon_cognito Amazon Cognito 7 1
aws_web_application_firewall AWS Web Application Firewall 17 1
aws_cloudwatch AWS CloudWatch 4 1
aws_security_hub AWS Security Hub 45 1
aws_identity_and_access_management AWS Identity and Access Management 18 1
aws_secrets_manager AWS Secrets Manager 8 1
aws_network_firewall AWS Network Firewall 54 1
aws_single_sign-on AWS Single Sign-On 8 1
aws_cloudhsm AWS CloudHSM 10 1

All Mappings

Capability ID Capability Description Category Value ATT&CK ID ATT&CK Name
amazon_cognito Amazon Cognito protect minimal T1078 Valid Accounts
amazon_cognito Amazon Cognito protect partial T1078.004 Cloud Accounts
amazon_cognito Amazon Cognito protect significant T1110 Brute Force
amazon_cognito Amazon Cognito protect significant T1110.001 Password Guessing
amazon_cognito Amazon Cognito protect significant T1110.002 Password Cracking
amazon_cognito Amazon Cognito protect significant T1110.003 Password Spraying
amazon_cognito Amazon Cognito protect significant T1110.004 Credential Stuffing
amazon_guardduty Amazon GuardDuty detect partial T1020 Automated Exfiltration
amazon_guardduty Amazon GuardDuty detect partial T1021.008 Direct Cloud VM Connections
amazon_guardduty Amazon GuardDuty detect minimal T1029 Scheduled Transfer
amazon_guardduty Amazon GuardDuty detect minimal T1041 Exfiltration Over C2 Channel
amazon_guardduty Amazon GuardDuty detect partial T1046 Network Service Scanning
amazon_guardduty Amazon GuardDuty detect partial T1048 Exfiltration Over Alternative Protocol
amazon_guardduty Amazon GuardDuty detect partial T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
amazon_guardduty Amazon GuardDuty detect partial T1059.009 Cloud API
amazon_guardduty Amazon GuardDuty detect partial T1071 Application Layer Protocol
amazon_guardduty Amazon GuardDuty detect partial T1071.001 Web Protocols
amazon_guardduty Amazon GuardDuty detect partial T1071.002 File Transfer Protocols
amazon_guardduty Amazon GuardDuty detect partial T1071.003 Mail Protocols
amazon_guardduty Amazon GuardDuty detect partial T1071.004 DNS
amazon_guardduty Amazon GuardDuty detect partial T1078 Valid Accounts
amazon_guardduty Amazon GuardDuty detect partial T1078.001 Default Accounts
amazon_guardduty Amazon GuardDuty detect partial T1078.004 Cloud Accounts
amazon_guardduty Amazon GuardDuty detect minimal T1090 Proxy
amazon_guardduty Amazon GuardDuty detect minimal T1090.001 Internal Proxy
amazon_guardduty Amazon GuardDuty detect minimal T1090.002 External Proxy
amazon_guardduty Amazon GuardDuty detect minimal T1090.003 Multi-hop Proxy
amazon_guardduty Amazon GuardDuty detect partial T1098 Account Manipulation
amazon_guardduty Amazon GuardDuty detect partial T1098.001 Additional Cloud Credentials
amazon_guardduty Amazon GuardDuty detect partial T1098.004 SSH Authorized Keys
amazon_guardduty Amazon GuardDuty detect minimal T1110 Brute Force
amazon_guardduty Amazon GuardDuty detect minimal T1110.001 Password Guessing
amazon_guardduty Amazon GuardDuty detect minimal T1110.003 Password Spraying
amazon_guardduty Amazon GuardDuty detect minimal T1110.004 Credential Stuffing
amazon_guardduty Amazon GuardDuty detect partial T1189 Drive-by Compromise
amazon_guardduty Amazon GuardDuty detect minimal T1190 Exploit Public-Facing Application
amazon_guardduty Amazon GuardDuty detect partial T1485 Data Destruction
amazon_guardduty Amazon GuardDuty detect partial T1486 Data Encrypted for Impact
amazon_guardduty Amazon GuardDuty detect partial T1491 Defacement
amazon_guardduty Amazon GuardDuty detect partial T1491.001 Internal Defacement
amazon_guardduty Amazon GuardDuty detect partial T1491.002 External Defacement
amazon_guardduty Amazon GuardDuty detect partial T1496 Resource Hijacking
amazon_guardduty Amazon GuardDuty detect partial T1498 Network Denial of Service
amazon_guardduty Amazon GuardDuty detect partial T1498.001 Direct Network Flood
amazon_guardduty Amazon GuardDuty detect partial T1498.002 Reflection Amplification
amazon_guardduty Amazon GuardDuty detect partial T1526 Cloud Service Discovery
amazon_guardduty Amazon GuardDuty detect partial T1530 Data from Cloud Storage Object
amazon_guardduty Amazon GuardDuty detect partial T1531 Account Access Removal
amazon_guardduty Amazon GuardDuty detect minimal T1552 Unsecured Credentials
amazon_guardduty Amazon GuardDuty detect partial T1552.001 Credentials In Files
amazon_guardduty Amazon GuardDuty detect minimal T1552.005 Cloud Instance Metadata API
amazon_guardduty Amazon GuardDuty detect partial T1562 Impair Defenses
amazon_guardduty Amazon GuardDuty detect partial T1562.001 Disable or Modify Tools
amazon_guardduty Amazon GuardDuty detect partial T1562.006 Indicator Blocking
amazon_guardduty Amazon GuardDuty detect partial T1562.008 Disable Cloud Logs
amazon_guardduty Amazon GuardDuty detect partial T1565 Data Manipulation
amazon_guardduty Amazon GuardDuty detect partial T1565.001 Stored Data Manipulation
amazon_guardduty Amazon GuardDuty detect partial T1566 Phishing
amazon_guardduty Amazon GuardDuty detect partial T1566.001 Spearphishing Attachment
amazon_guardduty Amazon GuardDuty detect partial T1566.002 Spearphishing Link
amazon_guardduty Amazon GuardDuty detect partial T1566.003 Spearphishing via Service
amazon_guardduty Amazon GuardDuty detect partial T1567 Exfiltration Over Web Service
amazon_guardduty Amazon GuardDuty detect partial T1567.001 Exfiltration to Code Repository
amazon_guardduty Amazon GuardDuty detect partial T1567.002 Exfiltration to Cloud Storage
amazon_guardduty Amazon GuardDuty detect partial T1567.003 Exfiltration to Text Storage Sites
amazon_guardduty Amazon GuardDuty detect partial T1567.004 Exfiltration Over Webhook
amazon_guardduty Amazon GuardDuty detect partial T1568 Dynamic Resolution
amazon_guardduty Amazon GuardDuty detect partial T1568.002 Domain Generation Algorithms
amazon_guardduty Amazon GuardDuty detect partial T1571 Non-Standard Port
amazon_guardduty Amazon GuardDuty detect partial T1580 Cloud Infrastructure Discovery
amazon_guardduty Amazon GuardDuty detect partial T1595 Active Scanning
amazon_guardduty Amazon GuardDuty detect partial T1595.001 Scanning IP Blocks
amazon_guardduty Amazon GuardDuty detect partial T1595.002 Vulnerability Scanning
amazon_guardduty Amazon GuardDuty detect partial T1619 Cloud Storage Object Discovery
amazon_guardduty Amazon GuardDuty detect partial T1622 Debugger Evasion
amazon_guardduty Amazon GuardDuty detect partial T1649 Steal or Forge Authentication Certificates
amazon_inspector Amazon Inspector protect minimal T1003 OS Credential Dumping
amazon_inspector Amazon Inspector protect minimal T1003.007 Proc Filesystem
amazon_inspector Amazon Inspector protect minimal T1003.008 /etc/passwd and /etc/shadow
amazon_inspector Amazon Inspector protect minimal T1021 Remote Services
amazon_inspector Amazon Inspector protect minimal T1021.004 SSH
amazon_inspector Amazon Inspector protect minimal T1037 Boot or Logon Initialization Scripts
amazon_inspector Amazon Inspector protect partial T1037.004 RC Scripts
amazon_inspector Amazon Inspector protect partial T1046 Network Service Scanning
amazon_inspector Amazon Inspector protect minimal T1053 Scheduled Task/Job
amazon_inspector Amazon Inspector protect minimal T1053.001 At (Linux)
amazon_inspector Amazon Inspector protect minimal T1053.003 Cron
amazon_inspector Amazon Inspector protect minimal T1053.006 Systemd Timers
amazon_inspector Amazon Inspector protect partial T1068 Exploitation for Privilege Escalation
amazon_inspector Amazon Inspector protect minimal T1070 Indicator Removal on Host
amazon_inspector Amazon Inspector protect minimal T1070.002 Clear Linux or Mac System Logs
amazon_inspector Amazon Inspector protect minimal T1070.003 Clear Command History
amazon_inspector Amazon Inspector protect minimal T1070.004 File Deletion
amazon_inspector Amazon Inspector protect minimal T1070.005 Network Share Connection Removal
amazon_inspector Amazon Inspector protect minimal T1070.006 Timestomp
amazon_inspector Amazon Inspector protect minimal T1070.007 Clear Network Connection History and Configurations
amazon_inspector Amazon Inspector protect minimal T1070.008 Clear Mailbox Data
amazon_inspector Amazon Inspector protect minimal T1070.009 Clear Persistence
amazon_inspector Amazon Inspector protect minimal T1110 Brute Force
amazon_inspector Amazon Inspector protect minimal T1110.001 Password Guessing
amazon_inspector Amazon Inspector protect minimal T1110.002 Password Cracking
amazon_inspector Amazon Inspector protect minimal T1110.003 Password Spraying
amazon_inspector Amazon Inspector protect minimal T1110.004 Credential Stuffing
amazon_inspector Amazon Inspector protect minimal T1133 External Remote Services
amazon_inspector Amazon Inspector protect partial T1189 Drive-by Compromise
amazon_inspector Amazon Inspector protect partial T1190 Exploit Public-Facing Application
amazon_inspector Amazon Inspector protect partial T1203 Exploitation for Client Execution
amazon_inspector Amazon Inspector protect partial T1210 Exploitation of Remote Services
amazon_inspector Amazon Inspector protect partial T1211 Exploitation for Defense Evasion
amazon_inspector Amazon Inspector protect partial T1212 Exploitation for Credential Access
amazon_inspector Amazon Inspector protect minimal T1222 File and Directory Permissions Modification
amazon_inspector Amazon Inspector protect partial T1222.002 Linux and Mac File and Directory Permissions Modification
amazon_inspector Amazon Inspector protect minimal T1489 Service Stop
amazon_inspector Amazon Inspector protect minimal T1529 System Shutdown/Reboot
amazon_inspector Amazon Inspector protect minimal T1543 Create or Modify System Process
amazon_inspector Amazon Inspector protect partial T1543.002 Systemd Service
amazon_inspector Amazon Inspector protect minimal T1548 Abuse Elevation Control Mechanism
amazon_inspector Amazon Inspector protect minimal T1548.003 Sudo and Sudo Caching
amazon_inspector Amazon Inspector protect minimal T1562 Impair Defenses
amazon_inspector Amazon Inspector protect minimal T1562.001 Disable or Modify Tools
amazon_inspector Amazon Inspector protect minimal T1562.003 Impair Command History Logging
amazon_inspector Amazon Inspector protect minimal T1562.004 Disable or Modify System Firewall
amazon_inspector Amazon Inspector protect minimal T1562.006 Indicator Blocking
amazon_inspector Amazon Inspector protect partial T1595 Active Scanning
amazon_inspector Amazon Inspector protect partial T1595.001 Scanning IP Blocks
amazon_inspector Amazon Inspector protect partial T1595.002 Vulnerability Scanning
amazon_inspector Amazon Inspector protect minimal T1599 Network Boundary Bridging
amazon_inspector Amazon Inspector protect minimal T1599.001 Network Address Translation Traversal
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect partial T1008 Fallback Channels
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect partial T1018 Remote System Discovery
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect partial T1021 Remote Services
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect partial T1021.001 Remote Desktop Protocol
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect partial T1021.002 SMB/Windows Admin Shares
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect partial T1021.003 Distributed Component Object Model
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect partial T1021.004 SSH
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect partial T1021.005 VNC
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect partial T1021.006 Windows Remote Management
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect partial T1021.007 Cloud Services
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect significant T1040 Network Sniffing
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect significant T1046 Network Service Scanning
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect partial T1048 Exfiltration Over Alternative Protocol
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect partial T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect partial T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect partial T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect partial T1072 Software Deployment Tools
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect partial T1090 Proxy
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect partial T1090.001 Internal Proxy
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect partial T1090.002 External Proxy
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect partial T1090.003 Multi-hop Proxy
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect partial T1095 Non-Application Layer Protocol
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect partial T1133 External Remote Services
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect partial T1199 Trusted Relationship
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect partial T1205 Traffic Signaling
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect significant T1205.001 Port Knocking
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect partial T1210 Exploitation of Remote Services
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect partial T1219 Remote Access Software
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect partial T1482 Domain Trust Discovery
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect minimal T1498 Network Denial of Service
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect minimal T1499 Endpoint Denial of Service
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect minimal T1499.001 OS Exhaustion Flood
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect minimal T1499.002 Service Exhaustion Flood
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect minimal T1499.003 Application Exhaustion Flood
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect minimal T1542 Pre-OS Boot
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect partial T1542.005 TFTP Boot
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect significant T1557 Man-in-the-Middle
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect significant T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect significant T1557.002 ARP Cache Poisoning
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect significant T1557.003 DHCP Spoofing
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect partial T1565 Data Manipulation
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect significant T1565.002 Transmitted Data Manipulation
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect partial T1570 Lateral Tool Transfer
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect significant T1571 Non-Standard Port
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect partial T1590 Gather Victim Network Information
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect partial T1590.001 Domain Properties
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect partial T1590.004 Network Topology
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect partial T1590.005 IP Addresses
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect partial T1590.006 Network Security Appliances
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect partial T1595 Active Scanning
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect partial T1595.001 Scanning IP Blocks
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect partial T1595.002 Vulnerability Scanning
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect partial T1602 Data from Configuration Repository
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect partial T1602.001 SNMP (MIB Dump)
amazon_virtual_private_cloud Amazon Virtual Private Cloud protect partial T1602.002 Network Device Configuration Dump
aws_cloudendure_disaster_recovery AWS CloudEndure Disaster Recovery respond significant T1190 Exploit Public-Facing Application
aws_cloudendure_disaster_recovery AWS CloudEndure Disaster Recovery respond significant T1485 Data Destruction
aws_cloudendure_disaster_recovery AWS CloudEndure Disaster Recovery respond significant T1486 Data Encrypted for Impact
aws_cloudendure_disaster_recovery AWS CloudEndure Disaster Recovery respond significant T1490 Inhibit System Recovery
aws_cloudendure_disaster_recovery AWS CloudEndure Disaster Recovery respond significant T1491 Defacement
aws_cloudendure_disaster_recovery AWS CloudEndure Disaster Recovery respond significant T1491.001 Internal Defacement
aws_cloudendure_disaster_recovery AWS CloudEndure Disaster Recovery respond significant T1491.002 External Defacement
aws_cloudendure_disaster_recovery AWS CloudEndure Disaster Recovery respond significant T1561 Disk Wipe
aws_cloudendure_disaster_recovery AWS CloudEndure Disaster Recovery respond significant T1561.001 Disk Content Wipe
aws_cloudendure_disaster_recovery AWS CloudEndure Disaster Recovery respond significant T1561.002 Disk Structure Wipe
aws_cloudendure_disaster_recovery AWS CloudEndure Disaster Recovery respond minimal T1565 Data Manipulation
aws_cloudendure_disaster_recovery AWS CloudEndure Disaster Recovery respond significant T1565.001 Stored Data Manipulation
aws_cloudhsm AWS CloudHSM protect minimal T1552 Unsecured Credentials
aws_cloudhsm AWS CloudHSM protect partial T1552.001 Credentials In Files
aws_cloudhsm AWS CloudHSM protect significant T1552.004 Private Keys
aws_cloudhsm AWS CloudHSM protect partial T1553 Subvert Trust Controls
aws_cloudhsm AWS CloudHSM protect partial T1553.002 Code Signing
aws_cloudhsm AWS CloudHSM protect partial T1553.004 Install Root Certificate
aws_cloudhsm AWS CloudHSM protect partial T1588 Obtain Capabilities
aws_cloudhsm AWS CloudHSM protect partial T1588.003 Code Signing Certificates
aws_cloudhsm AWS CloudHSM protect partial T1588.004 Digital Certificates
aws_cloudhsm AWS CloudHSM protect partial T1649 Steal or Forge Authentication Certificates
aws_cloudwatch AWS CloudWatch protect significant T1040 Network Sniffing
aws_cloudwatch AWS CloudWatch detect partial T1496 Resource Hijacking
aws_cloudwatch AWS CloudWatch detect partial T1610 Deploy Container
aws_cloudwatch AWS CloudWatch detect minimal T1654 Log Enumeration
aws_config AWS Config protect minimal T1020 Automated Exfiltration
aws_config AWS Config protect partial T1020.001 Traffic Duplication
aws_config AWS Config protect partial T1040 Network Sniffing
aws_config AWS Config protect minimal T1053 Scheduled Task/Job
aws_config AWS Config protect partial T1053.007 Container Orchestration Job
aws_config AWS Config protect partial T1068 Exploitation for Privilege Escalation
aws_config AWS Config protect minimal T1078 Valid Accounts
aws_config AWS Config protect significant T1078.004 Cloud Accounts
aws_config AWS Config protect minimal T1098 Account Manipulation
aws_config AWS Config protect partial T1098.001 Additional Cloud Credentials
aws_config AWS Config protect partial T1098.005 Device Registration
aws_config AWS Config protect significant T1110 Brute Force
aws_config AWS Config protect significant T1110.001 Password Guessing
aws_config AWS Config protect significant T1110.002 Password Cracking
aws_config AWS Config protect significant T1110.003 Password Spraying
aws_config AWS Config protect significant T1110.004 Credential Stuffing
aws_config AWS Config protect minimal T1119 Automated Collection
aws_config AWS Config protect minimal T1136 Create Account
aws_config AWS Config protect partial T1136.003 Cloud Account
aws_config AWS Config protect partial T1190 Exploit Public-Facing Application
aws_config AWS Config protect partial T1203 Exploitation for Client Execution
aws_config AWS Config detect minimal T1204 User Execution
aws_config AWS Config detect significant T1204.003 Malicious Image
aws_config AWS Config protect partial T1210 Exploitation of Remote Services
aws_config AWS Config protect partial T1211 Exploitation for Defense Evasion
aws_config AWS Config protect partial T1212 Exploitation for Credential Access
aws_config AWS Config protect partial T1485 Data Destruction
aws_config AWS Config protect partial T1486 Data Encrypted for Impact
aws_config AWS Config protect significant T1491 Defacement
aws_config AWS Config protect significant T1491.001 Internal Defacement
aws_config AWS Config protect significant T1491.002 External Defacement
aws_config AWS Config detect partial T1496 Resource Hijacking
aws_config AWS Config protect minimal T1498 Network Denial of Service
aws_config AWS Config protect minimal T1498.001 Direct Network Flood
aws_config AWS Config protect minimal T1498.002 Reflection Amplification
aws_config AWS Config protect minimal T1499 Endpoint Denial of Service
aws_config AWS Config protect minimal T1499.001 OS Exhaustion Flood
aws_config AWS Config protect minimal T1499.002 Service Exhaustion Flood
aws_config AWS Config protect minimal T1499.003 Application Exhaustion Flood
aws_config AWS Config protect minimal T1499.004 Application or System Exploitation
aws_config AWS Config detect minimal T1525 Implant Internal Image
aws_config AWS Config protect significant T1530 Data from Cloud Storage Object
aws_config AWS Config protect significant T1538 Cloud Service Dashboard
aws_config AWS Config protect partial T1552 Unsecured Credentials
aws_config AWS Config protect partial T1552.001 Credentials In Files
aws_config AWS Config protect partial T1552.005 Cloud Instance Metadata API
aws_config AWS Config protect partial T1552.007 Container API
aws_config AWS Config protect minimal T1557 Man-in-the-Middle
aws_config AWS Config detect minimal T1562 Impair Defenses
aws_config AWS Config detect partial T1562.001 Disable or Modify Tools
aws_config AWS Config detect significant T1562.007 Disable or Modify Cloud Firewall
aws_config AWS Config detect significant T1562.008 Disable Cloud Logs
aws_config AWS Config detect partial T1578.005 Modify Cloud Compute Configurations
aws_config AWS Config protect partial T1609 Container Administration Command
aws_config AWS Config protect partial T1610 Deploy Container
aws_config AWS Config protect partial T1611 Escape to Host
aws_config AWS Config protect partial T1613 Container and Resource Discovery
aws_config AWS Config protect significant T1651 Cloud Administration Command
aws_identity_and_access_management AWS Identity and Access Management protect partial T1021.007 Cloud Services
aws_identity_and_access_management AWS Identity and Access Management protect partial T1078 Valid Accounts
aws_identity_and_access_management AWS Identity and Access Management detect partial T1078 Valid Accounts
aws_identity_and_access_management AWS Identity and Access Management protect partial T1078.004 Cloud Accounts
aws_identity_and_access_management AWS Identity and Access Management detect minimal T1078.004 Cloud Accounts
aws_identity_and_access_management AWS Identity and Access Management detect minimal T1098 Account Manipulation
aws_identity_and_access_management AWS Identity and Access Management detect minimal T1098.001 Additional Cloud Credentials
aws_identity_and_access_management AWS Identity and Access Management detect minimal T1098.005 Device Registration
aws_identity_and_access_management AWS Identity and Access Management protect significant T1110 Brute Force
aws_identity_and_access_management AWS Identity and Access Management protect significant T1110.001 Password Guessing
aws_identity_and_access_management AWS Identity and Access Management protect significant T1110.003 Password Spraying
aws_identity_and_access_management AWS Identity and Access Management protect significant T1110.004 Credential Stuffing
aws_identity_and_access_management AWS Identity and Access Management protect minimal T1528 Steal Application Access Token
aws_identity_and_access_management AWS Identity and Access Management protect partial T1548.005 Temporary Elevated Cloud Access
aws_identity_and_access_management AWS Identity and Access Management protect minimal T1550 Use Alternate Authentication Material
aws_identity_and_access_management AWS Identity and Access Management protect minimal T1550.001 Application Access Token
aws_identity_and_access_management AWS Identity and Access Management protect significant T1621 Multi-Factor Authentication Request Generation
aws_identity_and_access_management AWS Identity and Access Management protect partial T1648 Serverless Execution
aws_iot_device_defender AWS IoT Device Defender protect minimal T1020 Automated Exfiltration
aws_iot_device_defender AWS IoT Device Defender protect partial T1020.001 Traffic Duplication
aws_iot_device_defender AWS IoT Device Defender protect partial T1040 Network Sniffing
aws_iot_device_defender AWS IoT Device Defender detect partial T1041 Exfiltration Over C2 Channel
aws_iot_device_defender AWS IoT Device Defender detect partial T1046 Network Service Scanning
aws_iot_device_defender AWS IoT Device Defender detect partial T1048 Exfiltration Over Alternative Protocol
aws_iot_device_defender AWS IoT Device Defender detect partial T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol
aws_iot_device_defender AWS IoT Device Defender detect partial T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
aws_iot_device_defender AWS IoT Device Defender detect partial T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
aws_iot_device_defender AWS IoT Device Defender detect minimal T1071 Application Layer Protocol
aws_iot_device_defender AWS IoT Device Defender detect minimal T1078 Valid Accounts
aws_iot_device_defender AWS IoT Device Defender protect minimal T1078 Valid Accounts
aws_iot_device_defender AWS IoT Device Defender detect partial T1078.004 Cloud Accounts
aws_iot_device_defender AWS IoT Device Defender protect partial T1078.004 Cloud Accounts
aws_iot_device_defender AWS IoT Device Defender detect minimal T1095 Non-Application Layer Protocol
aws_iot_device_defender AWS IoT Device Defender detect partial T1496 Resource Hijacking
aws_iot_device_defender AWS IoT Device Defender detect partial T1530 Data from Cloud Storage Object
aws_iot_device_defender AWS IoT Device Defender detect minimal T1552 Unsecured Credentials
aws_iot_device_defender AWS IoT Device Defender detect partial T1552.004 Private Keys
aws_iot_device_defender AWS IoT Device Defender protect minimal T1557 Man-in-the-Middle
aws_iot_device_defender AWS IoT Device Defender detect minimal T1562 Impair Defenses
aws_iot_device_defender AWS IoT Device Defender respond minimal T1562 Impair Defenses
aws_iot_device_defender AWS IoT Device Defender detect partial T1562.008 Disable Cloud Logs
aws_iot_device_defender AWS IoT Device Defender respond partial T1562.008 Disable Cloud Logs
aws_key_management_service AWS Key Management Service protect minimal T1552 Unsecured Credentials
aws_key_management_service AWS Key Management Service protect partial T1552.001 Credentials In Files
aws_key_management_service AWS Key Management Service protect significant T1552.004 Private Keys
aws_key_management_service AWS Key Management Service protect partial T1588 Obtain Capabilities
aws_key_management_service AWS Key Management Service protect partial T1588.003 Code Signing Certificates
aws_key_management_service AWS Key Management Service protect partial T1588.004 Digital Certificates
aws_network_firewall AWS Network Firewall protect partial T1008 Fallback Channels
aws_network_firewall AWS Network Firewall protect partial T1018 Remote System Discovery
aws_network_firewall AWS Network Firewall protect partial T1021 Remote Services
aws_network_firewall AWS Network Firewall protect partial T1021.001 Remote Desktop Protocol
aws_network_firewall AWS Network Firewall protect partial T1021.002 SMB/Windows Admin Shares
aws_network_firewall AWS Network Firewall protect partial T1021.004 SSH
aws_network_firewall AWS Network Firewall protect partial T1021.005 VNC
aws_network_firewall AWS Network Firewall protect partial T1021.006 Windows Remote Management
aws_network_firewall AWS Network Firewall protect partial T1041 Exfiltration Over C2 Channel
aws_network_firewall AWS Network Firewall protect partial T1046 Network Service Scanning
aws_network_firewall AWS Network Firewall protect partial T1048 Exfiltration Over Alternative Protocol
aws_network_firewall AWS Network Firewall protect partial T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol
aws_network_firewall AWS Network Firewall protect partial T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
aws_network_firewall AWS Network Firewall protect partial T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
aws_network_firewall AWS Network Firewall protect significant T1071 Application Layer Protocol
aws_network_firewall AWS Network Firewall protect significant T1071.001 Web Protocols
aws_network_firewall AWS Network Firewall protect significant T1071.002 File Transfer Protocols
aws_network_firewall AWS Network Firewall protect significant T1071.003 Mail Protocols
aws_network_firewall AWS Network Firewall protect significant T1071.004 DNS
aws_network_firewall AWS Network Firewall protect partial T1090 Proxy
aws_network_firewall AWS Network Firewall protect partial T1090.002 External Proxy
aws_network_firewall AWS Network Firewall protect partial T1090.003 Multi-hop Proxy
aws_network_firewall AWS Network Firewall protect significant T1095 Non-Application Layer Protocol
aws_network_firewall AWS Network Firewall protect partial T1104 Multi-Stage Channels
aws_network_firewall AWS Network Firewall protect partial T1133 External Remote Services
aws_network_firewall AWS Network Firewall protect significant T1187 Forced Authentication
aws_network_firewall AWS Network Firewall protect partial T1205 Traffic Signaling
aws_network_firewall AWS Network Firewall protect partial T1205.001 Port Knocking
aws_network_firewall AWS Network Firewall protect partial T1205.002 Socket Filters
aws_network_firewall AWS Network Firewall protect partial T1219 Remote Access Software
aws_network_firewall AWS Network Firewall protect minimal T1498 Network Denial of Service
aws_network_firewall AWS Network Firewall protect minimal T1498.001 Direct Network Flood
aws_network_firewall AWS Network Firewall protect minimal T1498.002 Reflection Amplification
aws_network_firewall AWS Network Firewall protect partial T1499 Endpoint Denial of Service
aws_network_firewall AWS Network Firewall protect partial T1499.001 OS Exhaustion Flood
aws_network_firewall AWS Network Firewall protect partial T1499.002 Service Exhaustion Flood
aws_network_firewall AWS Network Firewall protect partial T1499.003 Application Exhaustion Flood
aws_network_firewall AWS Network Firewall protect partial T1530 Data from Cloud Storage Object
aws_network_firewall AWS Network Firewall protect minimal T1542 Pre-OS Boot
aws_network_firewall AWS Network Firewall protect partial T1542.005 TFTP Boot
aws_network_firewall AWS Network Firewall protect significant T1571 Non-Standard Port
aws_network_firewall AWS Network Firewall protect partial T1572 Protocol Tunneling
aws_network_firewall AWS Network Firewall detect partial T1589 Gather Victim Identity Information
aws_network_firewall AWS Network Firewall detect minimal T1589.001 Credentials
aws_network_firewall AWS Network Firewall detect partial T1589.002 Email Addresses
aws_network_firewall AWS Network Firewall detect minimal T1589.003 Employee Names
aws_network_firewall AWS Network Firewall protect partial T1590 Gather Victim Network Information
aws_network_firewall AWS Network Firewall protect partial T1590.001 Domain Properties
aws_network_firewall AWS Network Firewall protect partial T1590.004 Network Topology
aws_network_firewall AWS Network Firewall protect partial T1590.005 IP Addresses
aws_network_firewall AWS Network Firewall protect partial T1590.006 Network Security Appliances
aws_network_firewall AWS Network Firewall protect partial T1595 Active Scanning
aws_network_firewall AWS Network Firewall protect partial T1595.001 Scanning IP Blocks
aws_network_firewall AWS Network Firewall protect partial T1595.002 Vulnerability Scanning
aws_organizations AWS Organizations protect partial T1078 Valid Accounts
aws_organizations AWS Organizations protect significant T1078.004 Cloud Accounts
aws_organizations AWS Organizations protect minimal T1087 Account Discovery
aws_organizations AWS Organizations protect partial T1087.004 Cloud Account
aws_organizations AWS Organizations protect partial T1538 Cloud Service Dashboard
aws_organizations AWS Organizations protect partial T1580 Cloud Infrastructure Discovery
aws_organizations AWS Organizations protect partial T1651 Cloud Administration Command
aws_rds AWS RDS protect significant T1040 Network Sniffing
aws_rds AWS RDS protect partial T1190 Exploit Public-Facing Application
aws_rds AWS RDS respond significant T1190 Exploit Public-Facing Application
aws_rds AWS RDS protect partial T1210 Exploitation of Remote Services
aws_rds AWS RDS respond significant T1210 Exploitation of Remote Services
aws_rds AWS RDS protect significant T1485 Data Destruction
aws_rds AWS RDS detect partial T1485 Data Destruction
aws_rds AWS RDS respond significant T1485 Data Destruction
aws_rds AWS RDS respond significant T1486 Data Encrypted for Impact
aws_rds AWS RDS detect partial T1489 Service Stop
aws_rds AWS RDS detect partial T1490 Inhibit System Recovery
aws_rds AWS RDS respond significant T1490 Inhibit System Recovery
aws_rds AWS RDS detect partial T1529 System Shutdown/Reboot
aws_rds AWS RDS protect significant T1530 Data from Cloud Storage Object
aws_rds AWS RDS protect partial T1557 Man-in-the-Middle
aws_rds AWS RDS respond minimal T1561 Disk Wipe
aws_rds AWS RDS respond minimal T1561.001 Disk Content Wipe
aws_rds AWS RDS respond minimal T1561.002 Disk Structure Wipe
aws_rds AWS RDS protect partial T1565 Data Manipulation
aws_rds AWS RDS respond significant T1565 Data Manipulation
aws_rds AWS RDS protect significant T1565.001 Stored Data Manipulation
aws_rds AWS RDS respond significant T1565.001 Stored Data Manipulation
aws_rds AWS RDS protect significant T1565.002 Transmitted Data Manipulation
aws_rds AWS RDS respond significant T1565.002 Transmitted Data Manipulation
aws_s3 AWS S3 protect significant T1485 Data Destruction
aws_s3 AWS S3 protect significant T1530 Data from Cloud Storage Object
aws_secrets_manager AWS Secrets Manager protect partial T1212 Exploitation for Credential Access
aws_secrets_manager AWS Secrets Manager protect partial T1528 Steal Application Access Token
aws_secrets_manager AWS Secrets Manager protect partial T1552 Unsecured Credentials
aws_secrets_manager AWS Secrets Manager protect partial T1552.001 Credentials In Files
aws_secrets_manager AWS Secrets Manager protect partial T1552.002 Credentials in Registry
aws_secrets_manager AWS Secrets Manager protect partial T1552.004 Private Keys
aws_secrets_manager AWS Secrets Manager protect partial T1555 Credentials from Password Stores
aws_secrets_manager AWS Secrets Manager protect partial T1555.006 Cloud Secrets Management Stores
aws_security_hub AWS Security Hub detect partial T1068 Exploitation for Privilege Escalation
aws_security_hub AWS Security Hub detect minimal T1078 Valid Accounts
aws_security_hub AWS Security Hub detect significant T1078.004 Cloud Accounts
aws_security_hub AWS Security Hub detect minimal T1098 Account Manipulation
aws_security_hub AWS Security Hub detect significant T1098.001 Additional Cloud Credentials
aws_security_hub AWS Security Hub detect minimal T1110 Brute Force
aws_security_hub AWS Security Hub detect minimal T1110.001 Password Guessing
aws_security_hub AWS Security Hub detect minimal T1110.003 Password Spraying
aws_security_hub AWS Security Hub detect minimal T1110.004 Credential Stuffing
aws_security_hub AWS Security Hub detect partial T1190 Exploit Public-Facing Application
aws_security_hub AWS Security Hub detect partial T1203 Exploitation for Client Execution
aws_security_hub AWS Security Hub detect partial T1210 Exploitation of Remote Services
aws_security_hub AWS Security Hub detect partial T1211 Exploitation for Defense Evasion
aws_security_hub AWS Security Hub detect partial T1212 Exploitation for Credential Access
aws_security_hub AWS Security Hub detect minimal T1485 Data Destruction
aws_security_hub AWS Security Hub detect partial T1530 Data from Cloud Storage Object
aws_security_hub AWS Security Hub detect partial T1531 Account Access Removal
aws_security_hub AWS Security Hub protect significant T1543.005 Container Service
aws_security_hub AWS Security Hub detect partial T1562 Impair Defenses
aws_security_hub AWS Security Hub detect significant T1562.001 Disable or Modify Tools
aws_security_hub AWS Security Hub detect significant T1562.007 Disable or Modify Cloud Firewall
aws_security_hub AWS Security Hub detect significant T1562.008 Disable Cloud Logs
aws_security_hub AWS Security Hub detect partial T1580 Cloud Infrastructure Discovery
aws_security_hub AWS Security Hub detect minimal T1589 Gather Victim Identity Information
aws_security_hub AWS Security Hub detect minimal T1589.001 Credentials
aws_security_hub AWS Security Hub detect minimal T1589.002 Email Addresses
aws_security_hub AWS Security Hub detect minimal T1589.003 Employee Names
aws_security_hub AWS Security Hub detect minimal T1590 Gather Victim Network Information
aws_security_hub AWS Security Hub detect minimal T1590.001 Domain Properties
aws_security_hub AWS Security Hub detect minimal T1590.002 DNS
aws_security_hub AWS Security Hub detect minimal T1590.003 Network Trust Dependencies
aws_security_hub AWS Security Hub detect minimal T1590.004 Network Topology
aws_security_hub AWS Security Hub detect minimal T1590.005 IP Addresses
aws_security_hub AWS Security Hub detect minimal T1590.006 Network Security Appliances
aws_security_hub AWS Security Hub detect minimal T1591 Gather Victim Org Information
aws_security_hub AWS Security Hub detect minimal T1591.001 Determine Physical Locations
aws_security_hub AWS Security Hub detect minimal T1591.002 Business Relationships
aws_security_hub AWS Security Hub detect minimal T1591.003 Identify Business Tempo
aws_security_hub AWS Security Hub detect minimal T1591.004 Identify Roles
aws_security_hub AWS Security Hub detect minimal T1592 Gather Victim Host Information
aws_security_hub AWS Security Hub detect minimal T1592.001 Hardware
aws_security_hub AWS Security Hub detect minimal T1592.002 Software
aws_security_hub AWS Security Hub detect minimal T1592.003 Firmware
aws_security_hub AWS Security Hub detect minimal T1592.004 Client Configurations
aws_security_hub AWS Security Hub protect partial T1651 Cloud Administration Command
aws_shield AWS Shield respond significant T1498 Network Denial of Service
aws_shield AWS Shield respond significant T1498.001 Direct Network Flood
aws_shield AWS Shield respond significant T1498.002 Reflection Amplification
aws_shield AWS Shield respond significant T1499 Endpoint Denial of Service
aws_shield AWS Shield respond significant T1499.001 OS Exhaustion Flood
aws_shield AWS Shield respond significant T1499.002 Service Exhaustion Flood
aws_shield AWS Shield respond significant T1499.003 Application Exhaustion Flood
aws_single_sign-on AWS Single Sign-On protect partial T1078 Valid Accounts
aws_single_sign-on AWS Single Sign-On protect partial T1078.002 Domain Accounts
aws_single_sign-on AWS Single Sign-On protect partial T1078.004 Cloud Accounts
aws_single_sign-on AWS Single Sign-On protect partial T1110 Brute Force
aws_single_sign-on AWS Single Sign-On protect significant T1110.001 Password Guessing
aws_single_sign-on AWS Single Sign-On protect significant T1110.003 Password Spraying
aws_single_sign-on AWS Single Sign-On protect significant T1110.004 Credential Stuffing
aws_single_sign-on AWS Single Sign-On protect significant T1133 External Remote Services
aws_web_application_firewall AWS Web Application Firewall protect partial T1046 Network Service Scanning
aws_web_application_firewall AWS Web Application Firewall protect partial T1059 Command and Scripting Interpreter
aws_web_application_firewall AWS Web Application Firewall protect significant T1059.001 PowerShell
aws_web_application_firewall AWS Web Application Firewall protect significant T1059.004 Unix Shell
aws_web_application_firewall AWS Web Application Firewall protect significant T1059.007 JavaScript
aws_web_application_firewall AWS Web Application Firewall protect minimal T1071 Application Layer Protocol
aws_web_application_firewall AWS Web Application Firewall protect minimal T1071.001 Web Protocols
aws_web_application_firewall AWS Web Application Firewall protect partial T1090 Proxy
aws_web_application_firewall AWS Web Application Firewall protect partial T1090.002 External Proxy
aws_web_application_firewall AWS Web Application Firewall protect partial T1090.003 Multi-hop Proxy
aws_web_application_firewall AWS Web Application Firewall protect significant T1189 Drive-by Compromise
aws_web_application_firewall AWS Web Application Firewall protect significant T1190 Exploit Public-Facing Application
aws_web_application_firewall AWS Web Application Firewall protect significant T1203 Exploitation for Client Execution
aws_web_application_firewall AWS Web Application Firewall protect partial T1595 Active Scanning
aws_web_application_firewall AWS Web Application Firewall protect partial T1595.001 Scanning IP Blocks
aws_web_application_firewall AWS Web Application Firewall protect partial T1595.002 Vulnerability Scanning
aws_web_application_firewall AWS Web Application Firewall protect partial T1595.003 Wordlist Scanning

Non-Mappable Capabilities

Non-mappable capabilities are either out of scope or unable to be mapped to any ATT&CK objects
Capability ID Capability Description
aws_cloudtrail AWS CloudTrail
aws_security_lake AWS Security Lake
aws_audit_manager AWS Audit Manager
aws_artifact AWS Artifact
aws_directory_service AWS Directory Service
amazon_macie Amazon Macie
aws_firewall_manager AWS Firewall Manager
aws_certificate_manager AWS Certificate Manager
amazon_detective Amazon Detective
aws_resource_access_manager AWS Resource Access Manager