AWS AddPermission20150331v2
Adds a permission to a Lambda function's resource-based policy, allowing specified principals to invoke the function.
AWS Events
AWS Security Events
Section titled “AWS Security Events”Amazon Web Services (AWS) specific security events, detections, and incident response procedures. These events are typically sourced from AWS CloudTrail, CloudWatch, VPC Flow Logs, and other AWS native logging services.
Common AWS Attack Patterns
Section titled “Common AWS Attack Patterns”- Console Login Anomalies: Unusual sign-in patterns or locations
- IAM Privilege Escalation: Unauthorized role assumptions or policy modifications
- S3 Bucket Exposure: Public bucket configurations or data exfiltration
- EC2 Instance Compromise: Unauthorized instance access or lateral movement
- Lambda Function Abuse: Serverless function exploitation for persistence
AWS-Specific Log Sources
Section titled “AWS-Specific Log Sources”- AWS CloudTrail: API call logging and user activity
- AWS CloudWatch: Application and infrastructure monitoring
- VPC Flow Logs: Network traffic analysis
- AWS Config: Configuration change tracking
- Amazon GuardDuty: Threat detection service
Events Related to AWS
Section titled “Events Related to AWS”AWS AddRoleToInstanceProfile
Adds an IAM role to an EC2 instance profile, enabling EC2 instances to assume that role and access AWS services.
AWS AddUserToGroup
Adds an IAM user to a specified group, granting the user all permissions attached to that group.
AWS ArchiveFindings
Archives GuardDuty findings to suppress active security alerts from SOC visibility.
AWS AssociateIamInstanceProfile
Associates an IAM instance profile with an EC2 instance, granting the instance permissions defined by the profile's IAM role.
AWS AssumeRole
Returns temporary security credentials for assuming an IAM role. Allows an entity (user, service, or account) to act with the role's permissions.
AWS AssumeRoleWithSAML
Returns temporary credentials for a SAML-authenticated user to assume an IAM role, used in federated SSO scenarios.
AWS AssumeRoleWithWebIdentity
Returns temporary credentials for a user authenticated via an OIDC identity provider (e.g., Cognito, Google) to assume an IAM role.
AWS AttachGroupPolicy
Attaches a managed IAM policy to a group, granting all group members the permissions defined in that policy.
AWS AttachRolePolicy
Attaches a managed IAM policy to an IAM role, granting the role the permissions defined in that policy.
AWS AttachUserPolicy
Attaches a managed IAM policy directly to an IAM user, granting them the permissions defined in that policy.
AWS AuthorizeDBSecurityGroupIngress
Adds inbound rules to an RDS DB security group, allowing specified IP ranges or EC2 security groups to access the database.
AWS AuthorizeSecurityGroupEgress
Adds outbound rules to a VPC security group, permitting traffic from instances to specified destination IP ranges or security groups.
AWS AuthorizeSecurityGroupIngress
Adds inbound rules to a VPC security group, permitting traffic from specified IP ranges or security groups to reach instances.
AWS ChangePassword
Allows an IAM user to change their own AWS Management Console login password.
AWS ConsoleLogin
Records a sign-in attempt to the AWS Management Console, capturing success or failure status and whether MFA was used.
AWS CopyObject
Copies an object from one S3 location to another, within or across buckets, optionally modifying metadata or encryption.
AWS CreateAccessEntry
Creates an access entry for an EKS cluster, granting an IAM principal Kubernetes API access via EKS access management.
AWS CreateAccessKey
Creates a new long-term access key for an IAM user, enabling programmatic access to AWS services.
AWS CreateAccount
Creates a new AWS account as a member of an AWS Organization under the management account.
AWS CreateAssociation
Creates an SSM State Manager association, binding a document to instances for persistent or scheduled command execution.
AWS CreateDBSnapshot
Creates a manual point-in-time snapshot of an RDS database instance for backup or recovery purposes.
AWS CreateDevEndpoint
Creates a Glue development endpoint providing SSH access into the Glue VPC with the Glue service role.
AWS CreateFilter
Creates a GuardDuty finding filter that automatically suppresses or highlights findings matching specified criteria.
AWS CreateImage
Creates an Amazon Machine Image (AMI) from a running or stopped EC2 instance, capturing its disk state for reuse.
AWS CreateInstanceExportTask
Exports an EC2 instance as a virtual machine image to an S3 bucket in a format such as OVF or VMDK.
AWS CreateIPSet
Creates a GuardDuty IP set — a list of trusted or known malicious IP addresses used in threat intelligence.
AWS CreateKeyPair
Creates an EC2 key pair and returns the private key material, used for SSH authentication to EC2 instances.
AWS CreateLoginProfile
Creates a password for an IAM user, enabling them to sign into the AWS Management Console.
AWS CreateNetworkAclEntry
Adds an allow or deny rule to a Network ACL, controlling traffic entering or leaving a specific VPC subnet.
AWS CreateOpenIDConnectProvider
Registers an OIDC identity provider with IAM, enabling federated access from external identity systems like GitHub Actions.
AWS CreatePolicy
Creates a new managed IAM policy that can be attached to users, groups, or roles to define permissions.
AWS CreatePolicyVersion
Creates a new version of an IAM managed policy, which can optionally be set as the default active version.
AWS CreateRole
Creates a new IAM role with a trust policy that defines which principals are permitted to assume it.
AWS CreateSAMLProvider
Registers a SAML 2.0 identity provider metadata document with IAM, enabling federated authentication via SAML.
AWS CreateServiceLinkedRole
Creates a service-linked IAM role that allows an AWS service to perform actions on your behalf.
AWS CreateSnapshot
Creates a point-in-time snapshot of an EBS volume, stored durably for backup or volume duplication.
AWS CreateStack
Creates a CloudFormation stack by provisioning AWS resources defined in a specified template.
AWS CreateUser
Creates a new IAM user in the AWS account for programmatic or console-based access.
AWS CreateVirtualMFADevice
Creates a virtual MFA device that can be associated with an IAM user for multi-factor authentication.
AWS DeactivateMFADevice
Deactivates an MFA device associated with an IAM user, removing the MFA requirement for their authentication.
AWS DeleteAccessKey
Permanently deletes an IAM user's access key, revoking the associated programmatic access credentials.
AWS DeleteAlarms
Deletes one or more CloudWatch alarms, removing their monitoring configurations and associated notifications.
AWS DeleteBucket
Permanently deletes an S3 bucket; the bucket must be empty before deletion can succeed.
AWS DeleteBucketPolicy
Removes the resource-based policy from an S3 bucket, reverting to default access controls.
AWS DeleteConfigRule
Deletes an AWS Config rule that was evaluating the compliance of AWS resource configurations.
AWS DeleteConfigurationRecorder
Deletes the AWS Config configuration recorder, stopping resource configuration recording in the region.
AWS DeleteDBCluster
Permanently deletes an Aurora DB cluster and optionally its automated backups.
AWS DeleteDBInstance
Permanently deletes an RDS database instance, with an option to take a final snapshot before deletion.
AWS DeleteDeliveryChannel
Deletes the AWS Config delivery channel, stopping delivery of configuration snapshots and change notifications to S3 or SNS.
AWS DeleteDetector
Disables and permanently deletes a GuardDuty detector in the region, stopping all threat detection.
AWS DeleteEventDataStore
Deletes a CloudTrail Lake event data store, destroying stored forensic evidence and audit logs.
AWS DeleteFileSystem
Permanently deletes an EFS file system and all its data; all mount targets must be deleted first.
AWS DeleteFlowLogs
Deletes VPC Flow Log configurations, stopping the capture of network traffic metadata for the specified resources.
AWS DeleteGlobalCluster
Deletes an Aurora global database cluster that spans multiple AWS regions.
AWS DeleteLogGroup
Permanently deletes a CloudWatch Logs log group and all its log streams and stored data.
AWS DeleteLoginProfile
Removes an IAM user's console password, preventing them from signing in to the AWS Management Console.
AWS DeleteLogStream
Permanently deletes a log stream and all its events from within a CloudWatch Logs log group.
AWS DeleteMembers
Removes member accounts from a GuardDuty administrator account, ending the delegated monitoring relationship.
AWS DeleteNetworkAcl
Deletes a Network ACL from a VPC; the default NACL cannot be deleted.
AWS DeleteNetworkAclEntry
Removes a rule from a Network ACL, modifying traffic filtering for the associated VPC subnet.
AWS DeleteObject
Deletes a single object from an S3 bucket; with versioning enabled, a delete marker is created instead.
AWS DeleteObjects
Deletes multiple S3 objects in a single batch request, more efficient than individual delete operations.
AWS DeleteRolePermissionsBoundary
Removes the permissions boundary from an IAM role, potentially expanding the role's maximum effective permissions.
AWS DeleteRolePolicy
Deletes an inline policy embedded directly in an IAM role.
AWS DeleteRuleGroup
Permanently deletes a WAF rule group containing a set of web traffic filtering rules.
AWS DeleteSnapshot
Permanently deletes an EBS snapshot; any AMIs based on it must be deregistered first.
AWS DeleteTrail
Permanently deletes a CloudTrail trail, stopping API activity logging for that trail configuration.
AWS DeleteUser
Permanently deletes an IAM user; all attached policies, group memberships, and keys must be removed first.
AWS DeleteUserPermissionsBoundary
Removes the permissions boundary from an IAM user, potentially expanding their maximum effective permissions.
AWS DeleteUserPolicy
Deletes an inline policy embedded directly in an IAM user.
AWS DeleteVirtualMFADevice
Deletes a virtual MFA device, weakening account security by removing multi-factor authentication.
AWS DeleteVolume
Permanently deletes an EBS volume; the volume must be detached from any instance before deletion.
AWS DeleteWebACL
Permanently deletes a WAF Web ACL used to protect web applications from common web threats.
AWS DetachRolePolicy
Detaches a managed IAM policy from a role, removing those permissions from the role's effective policy.
AWS DetachUserPolicy
Detaches a managed IAM policy from an IAM user, removing those permissions from the user.
AWS DisableKey
Disables a KMS encryption key, preventing any operations that depend on it until the key is re-enabled.
AWS DisassociateFromMasterAccount
Disassociates the current account from its GuardDuty administrator account, ending the delegated monitoring relationship.
AWS DisassociateMembers
Disassociates specified member accounts from a GuardDuty administrator account.
AWS EnableRegion
Enables a previously disabled AWS region for the account, making its services available for use.
AWS EnableSerialConsoleAccess
Enables the EC2 Serial Console at the account level, allowing direct serial port access to instances for troubleshooting.
AWS GetAuthorizationToken
Retrieves an ECR authorization token for Docker image operations, seen in container escape and lateral movement chains.
AWS GetFederationToken
Returns temporary security credentials for a federated user, optionally scoped to an inline IAM policy.
AWS GetObject
Retrieves (downloads) an object from an S3 bucket; logged in CloudTrail only when S3 data events are enabled.
AWS GetParameters
Retrieves one or more parameters from AWS Systems Manager Parameter Store, optionally decrypting SecureString values.
AWS GetPasswordData
Retrieves the encrypted Windows administrator password for a newly launched EC2 Windows instance.
AWS GetSecretValue
Retrieves the plaintext value of a secret stored in AWS Secrets Manager.
AWS GetSessionToken
Returns temporary credentials for an IAM user, typically used to satisfy an MFA requirement for subsequent API calls.
AWS GetSigninToken
Generates a sign-in token used to construct a federation URL for single sign-on to the AWS Management Console.
AWS ImportKeyPair
Imports an existing RSA or ED25519 public key into EC2 for use as a key pair when launching instances.
AWS Invoke
Invokes a Lambda function synchronously or asynchronously, triggering its execution with an optional input payload.
AWS LeaveOrganization
Removes the current member account from its AWS Organization; the management account cannot leave.
AWS ModifyDBInstance
Modifies settings on an RDS database instance, such as instance class, storage, networking, and access configuration.
AWS ModifyDBSnapshotAttribute
Modifies the attributes of an RDS DB snapshot, such as sharing it with other AWS accounts.
AWS ModifyImageAttribute
Modifies attributes of an AMI, such as making it public or sharing it with specific AWS accounts.
AWS ModifyInstanceAttribute
Modifies a specific attribute of an EC2 instance, such as its instance type, user data, or security groups.
AWS ModifySnapshotAttribute
Modifies the permissions of an EBS snapshot, such as making it public or sharing it with specific AWS accounts.
AWS PassRole
Allows a principal to pass an IAM role to an AWS service, granting the service permission to assume that role on their behalf.
AWS PasswordRecoveryRequested
Records a request to recover or reset the AWS account root user password via the password reset process.
AWS PutBucketAcl
Sets the Access Control List (ACL) for an S3 bucket, controlling access for specific AWS accounts or predefined groups.
AWS PutBucketLifecycle
Sets lifecycle configuration on an S3 bucket to automate object transitions or expiration over time.
AWS PutBucketLifecycleConfiguration
Sets lifecycle rules on an S3 bucket to automatically transition objects to cheaper storage tiers or expire them.
AWS PutBucketPolicy
Applies or replaces the resource-based policy on an S3 bucket, defining who can access it and how.
AWS PutBucketPublicAccessBlock
Modifies S3 bucket public access block settings, potentially disabling protections to allow public data exposure.
AWS PutBucketReplication
Enables replication for an S3 bucket, automatically copying objects to a destination bucket in the same or another region.
AWS PutEventSelectors
Configures which API events (management or data, read/write) a CloudTrail trail records.
AWS PutGroupPolicy
Creates or updates an inline policy embedded directly in an IAM group.
AWS PutImage
Pushes a container image to ECR, potentially introducing backdoored images into the deployment pipeline.
AWS PutKeyPolicy
Modifies a KMS key policy to grant cross-account access or expand key usage permissions.
AWS PutRolePermissionsBoundary
Sets a permissions boundary on an IAM role, capping the maximum permissions the role can be granted.
AWS PutRolePolicy
Creates or updates an inline policy embedded directly in an IAM role.
AWS PutRule
Creates an EventBridge rule that triggers on specific events, used for persistent execution of Lambda or other targets.
AWS PutTargets
Adds or updates targets for an EventBridge rule, defining which resources are invoked when the rule matches an event.
AWS PutUserPermissionsBoundary
Sets a permissions boundary on an IAM user, limiting the maximum permissions they can ever be granted.
AWS PutUserPolicy
Creates or updates an inline policy embedded directly in an IAM user.
AWS RemoveAccountFromOrganization
Removes an AWS account from the organization, stripping it of SCP protections and centralized security controls.
AWS ReplaceIamInstanceProfileAssociation
Replaces the IAM instance profile associated with a running EC2 instance with a different one.
AWS RestoreDBInstanceFromDBSnapshot
Restores an RDS instance from a snapshot, enabling an attacker to access database contents by spinning up a copy.
AWS ResumeSession
Resumes a previously disconnected Systems Manager Session Manager session with a managed instance.
AWS ScheduleKeyDeletion
Schedules a KMS customer managed key for deletion after a waiting period (7-30 days), after which encrypted data is unrecoverable.
AWS SendCommand
Remotely executes a command or script on one or more managed instances via AWS Systems Manager Run Command.
AWS SendSerialConsoleSSHPublicKey
Pushes an SSH public key to an EC2 instance's serial console interface, enabling SSH access over the serial port.
AWS SendSSHPublicKey
Pushes a temporary SSH public key to an EC2 instance via EC2 Instance Connect, valid for 60 seconds.
AWS SetDefaultPolicyVersion
Sets the default version of an IAM managed policy, changing which version of the policy is active for all attached entities.
AWS SharedSnapshotCopyInitiated
Records the start of a copy operation for an EBS snapshot shared from another AWS account.
AWS SharedSnapshotVolumeCreated
Records the creation of an EBS volume from a snapshot shared by another AWS account.
AWS StartBuild
Starts a CodeBuild build, executing arbitrary code with the build project's IAM role credentials.
AWS StartExportTask
Starts an export of an RDS snapshot to Amazon S3 in Apache Parquet format for use in analytics.
AWS StartSession
Starts an interactive Systems Manager Session Manager session with a managed EC2 instance or on-premises server.
AWS StopConfigurationRecorder
Stops AWS Config from recording resource configuration changes in the region.
AWS StopLogging
Stops logging API activity for a CloudTrail trail, disabling audit log collection for that trail.
AWS StopMonitoringMembers
Stops GuardDuty from monitoring specified member accounts under an administrator account.
AWS TerminateInstances
Permanently terminates one or more EC2 instances, releasing instance store data and associated resources.
AWS UpdateAccessKey
Changes the status of an IAM user's access key between Active and Inactive.
AWS UpdateAssumeRolePolicy
Updates the trust policy of an IAM role, changing which principals are permitted to assume it.
AWS UpdateDetector
Updates the configuration of a GuardDuty detector, such as enabling or disabling specific threat detection data sources.
AWS UpdateDevEndpoint
Updates a Glue development endpoint, potentially injecting SSH public keys for unauthorized access.
AWS UpdateFindingsFeedback
Updates the feedback status on GuardDuty findings, marking them as useful or not useful.
AWS UpdateFunctionCode20150331v2
Updates the code of an existing Lambda function with a new deployment package or container image URI.
AWS UpdateFunctionConfiguration20150331v2
Updates Lambda function configuration including environment variables, IAM role, or layers — used to inject credentials or swap execution context.
AWS UpdateIPSet
Modifies the IP addresses or CIDR ranges in a GuardDuty IP set used for threat intelligence.
AWS UpdateLoginProfile
Updates the console login password for an IAM user.
AWS UpdateTrail
Modifies the configuration of an existing CloudTrail trail, such as its S3 bucket, log validation, or multi-region settings.