UpdateDevEndpoint
Event
Updates a Glue development endpoint, potentially injecting SSH public keys for unauthorized access.
Security Context
- Updating a dev endpoint’s SSH public key grants the attacker direct SSH access to the endpoint with the Glue service role’s credentials, bypassing normal authentication controls.
- This technique allows an adversary to inject their own SSH key into an existing endpoint, gaining interactive access to a compute resource with broad data permissions.
Log Source
CloudTrail
Sample Event
MITRE ATT&CK Mapping
Tactics: Privilege Escalation
Techniques:
- T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups.