☁️ Cloud Artefacts
Cloud Logs
Audit
Login activity
For admin account go to IAM -> Credential report to see all the users and the following information:
- user name
- arn (acc N + username)
- user_creation_time
- password_enabled
- password_last_used
- password_last_changed
- password_next_rotation
- mfa_active
- access_key_1_active
- access_key_1_last_rotated
- access_key_1_last_used_date
- access_key_1_last_used_region
- access_key_1_last_used_service
- access_key_2_active
- access_key_2_last_rotated
- access_key_2_last_used_date
- access_key_2_last_used_region
- access_key_2_last_used_service
- cert_1_active
- cert_1_last_rotated
- cert_2_active
- cert_2_last_rotated
Service usage activity
Also, you can go to IAM -> username -> Access Advisor tab to see the services that this user has access to and when these were last used.
Cloud Users And Policies
IAM
Stands for Identity Access Management. There are several types of IAM identities. They are usually called “Principal”. This can be either a User or a Role. It can even be a service or an account. Users can assume Roles. Instance Profile is basically a separate IAM Role assumed by this particular instance.
IAM role. Some entity (principal in AWS language) that can be assumed by others (users, services, instances, accounts). However assumes the role, is provided with temporary credentials.
AWS Configuration
Default Configurations
By default, SSH 22 and RDP 3389 are closed, but these are suggested to be opened when creaing them, warning how dangeroud this is. What’s traffic mirroring? Using this functionality with open-source tools.
Custom Config
If SSM is enabled (System Manager Service), then activity is logged in CloudTrail. At least, AmazonSSMManagedInstanceCore needs to be attached to the instance profile role. Look at the policies and which users are granted the access. Also, commands run can be also restricted.