Data theft techniques
Closed this issue ยท 8 comments
Should be straightforward. I'll grab this one
Great Thanks Christophe!
Famous last words: "should be straightforward"
Event though AWS documentation (https://docs.aws.amazon.com/cloudshell/latest/userguide/logging-and-monitoring.html) makes it seem like all CloudShell events they list out will be pushed to EventBridge as events, this doesn't appear to be the case. It does push through events like CreateSession, PutCredentials, etc... but it doesn't appear to push GetFileDownloadUrls which is the one we need. This is the EventPattern I used (straight from their docs):
{ "source": [ "aws.cloudshell" ], "detail-type": [ "AWS API Call via CloudTrail" ], "detail": { "eventSource": [ "cloudshell.amazonaws.com" ] } }
Sending those events to a CloudWatch Logs Group, I am able to see some of the events but again not the one we needed here. I'm going to keep playing around with it and probably contact AWS support to see if this is a bug or something I'm missing. In the meantime, I had to set this up as a CloudWatch Metric & Alarm, which does work. I would have preferred EventBridge and will update once this gets figured out, but in the meantime this will work. Doing a final round of testing and then I'll create the PR
That's what I was thinking originally, but no I don't think so:
- The event is visible in CloudTrail's Event History and is labeled as a Management Event
For reference:
{
"eventVersion": "1.08",
"userIdentity": {
...
}
},
"eventTime": "2024-02-13T04:37:21Z",
"eventSource": "cloudshell.amazonaws.com",
"eventName": "GetFileDownloadUrls",
"awsRegion": "us-east-1",
"requestParameters": {
"FileDownloadPath": "/home/cloudshell-user/test.txt",
"EnvironmentId": "xxx"
},
"responseElements": null,
"readOnly": true,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "xxx",
"eventCategory": "Management"
}
- The event gets pushed to CloudWatch logs and I'm able to find it with CloudWatch Insights, so it's definitely getting picked up by CloudTrail and being pushed to CloudWatch. The only time I can't get the event to push through is when I involve EventBridge
Hold off on this I just figured it out. EventBridge recently got an update that requires using a State: ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS
in order to receive read-only management events from CloudTrail in EventBridge. That's why it wasn't receiving it. More info here: https://aws.amazon.com/blogs/compute/introducing-support-for-read-only-management-events-in-amazon-eventbridge/
^^^ here we go, this is what we want. This was an interesting learning experience for sure :)
Great! Thanks!