Multifactor authentication (MFA) requires users to provide more than just a username and password to access resources. The additional information required may be an authentication code sent via text message, a push notification that requires approval, biometrics data, a secret question, or a key fob (among others). Together, the regular login and additional factor(s) provide increased security in both cloud and on-premises environments.
Why should you care? Because studies show that many—if not most—of the world's data breaches are attributable to compromised authentication. For example, reports showed that the leak of the three billion Yahoo! user accounts in 2013/4 was, in large part, due to compromised credentials. Such a mistake can cost a company dearly.
Bottom line: If you do not yet have multi-factor authentication (MFA) enabled in your AWS environment, go do that now and come back to finish reading this blog later. I'll wait. (Here's a great resource on how to enable MFA in AWS.)
How to Keep Your AWS Environment Protected on a Continuous Basis
Once you've enabled MFA and rolled out a strict authentication policy, it's time to ensure that no single-factor authenticated users escape your purview. If you're already using Splunk Enterprise Security (ES) and the Enterprise Security Content Update (ESCU), you can take advantage of a cool new detection search designed to help you monitor for users without MFA enabled in AWS.
The search, called "Detect users without MFA enabled in AWS" looks for successful API calls via CloudTrail. It filters out events triggered by known users or service accounts. Next, it outputs a table containing the event names and count, as well as the first and last time a specific user or service account is detected.
To enable this search, you'll need to install the Splunk App for AWS (version 5.1.0 or later) and the Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. You'll populate the expanded identity lookup shipped with the Asset and Identity framework to be able to look up users in your identity table in Splunk ES.
Be prepared for false positives, such as legitimate activity detected by users/service accounts that are not listed in the AWS service accounts user file. If a user does turn out to be a verified service account, you can whitelist them by adding them to the AWS service accounts lookup table.
Keep An Eye Out for Unusual Access Control List Activity
Another cloud search included in this week’s ESCU release looks for AWS CloudTrail log entries that have recorded AWS API calls specifically for creating/modifying/replacing network access-control lists (ACLs). Spikes in these types of activities may indicate that an unauthorized user is trying to interfere with your ACLs.
This search requires the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later).
Install the Latest Version of ESCU
The Security Research group at Splunk sleeps better when we know that you're protected against the latest threats and vulnerabilities, so download Splunk ES Content Update v1.0.16 now.