Ends in
00
days
00
hrs
00
mins
00
secs
LEARN MORE

SALE! Extra $2 OFF our Practice Test + eBook Bundles. Valid until May 19, 2021 6PM UTC+8

Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Security – Specialty API logging and new API keys detection

  • API logging and new API keys detection

  • daniel-15

    Member
    September 22, 2020 at 2:14 pm

    Hey there. I’d like to know something regarding this question:

    “A Security Engineer found out that API logging was disabled in the corporate AWS production account. The Engineer also noticed that the root IAM user was used to create new API keys without approval.

    What should the engineer do to detect and automatically remediate these types of security incidents?
    In the correct answer, you state:
    “Create a config rule in AWS Config that detects when AWS CloudTrail is disabled. Set another rule to monitor any calls to the create-api-key by the root IAM user. Set up a Lambda to reenable CloudTrail logs and deactivate the root API keys.”

    How do you create a Config rule to monitor calls to create-api-keys? By default, I only see four IAM-related events in the Config triggers. Does this rely on making a custom trigger?

  • TutorialsDojo-Support

    Member
    September 22, 2020 at 10:12 pm

    Hello daniel-15,

    Thank you for your feedback.

    “Create a config rule in AWS Config that detects when AWS CloudTrail is disabled. Set another rule to monitor any calls to the create-api-key by the root IAM user. Set up a Lambda to reenable CloudTrail logs and deactivate the root API keys.”

    How do you create a Config rule to monitor calls to create-api-keys? By default, I only see four IAM-related events in the Config triggers. Does this rely on making a custom trigger?

    Yes, you will need to add a Custom Rule with a trigger on AWS Config for detecting calls to create-api-keys for the root account. That’s why you will also need to write a Lambda function for it to check that API call and deactivate the key if it is created.

    Although AWS has provided several AWS Config rules by default, you can always create your own rules. And AWS Config is also integrated with SSM Automation on which you can run your SSM Automation Documents to automate remediations on any violation detected by AWS Config.

    Hope this helps. If you have any other concerns, we’d be happy to hear it.

    Regards,

    Kenneth Samonte @ Tutorials Dojo

  • daniel-15

    Member
    September 22, 2020 at 11:51 pm

    Thanks for your answer. It still feels a bit strange to use Config for something like that, but it makes the process clearer 🙂

Log in to reply.

Original Post
0 of 0 posts June 2018
Now