Cloud Infrastructure Discovery

An adversary may attempt to discover resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.

Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a DescribeInstances API within the Amazon EC2 API that can return information about one or more instances within an account, as well as the ListBuckets API that returns a list of all buckets owned by the authenticated sender of the request.[1][2] Similarly, GCP's Cloud SDK CLI provides the gcloud compute instances list command to list all Google Compute Engine instances in a project[3], and Azure's CLI command az vm list lists details of virtual machines.[4]

An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.[5] The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.[6] Unlike in Cloud Service Discovery, this technique focuses on the discovery of components of the provided services rather than the services themselves.

ID: T1580
Sub-techniques:  No sub-techniques
Tactic: Discovery
Platforms: IaaS
Permissions Required: User
Data Sources: Cloud Storage: Cloud Storage Enumeration, Cloud Storage: Cloud Storage Metadata, Instance: Instance Enumeration, Instance: Instance Metadata, Snapshot: Snapshot Enumeration, Snapshot: Snapshot Metadata, Volume: Volume Enumeration, Volume: Volume Metadata
Contributors: Praetorian
Version: 1.1
Created: 20 August 2020
Last Modified: 08 March 2021

Mitigations

ID Mitigation Description
M1018 User Account Management

Limit permissions to discover cloud infrastructure in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.

Detection

Establish centralized logging for the activity of cloud infrastructure components. Monitor logs for actions that could be taken to gather information about cloud infrastructure, including the use of discovery API calls by new or unexpected users. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.

References