CreateDevEndpoint
Event
Creates a Glue development endpoint providing SSH access into the Glue VPC with the Glue service role.
Security Context
- Glue dev endpoints grant SSH access with the Glue service role’s credentials, which often have broad data access permissions across S3, RDS, and other data stores.
- Adversaries create dev endpoints to escalate privileges by leveraging the Glue service role, which may have access to sensitive data resources that the original compromised identity cannot reach directly.
Log Source
CloudTrail
Sample Event
MITRE ATT&CK Mapping
Tactics: Privilege Escalation
Techniques:
- T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups.