Permission Groups Discovery: Cloud Groups (AWS)

Description

Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.With authenticated access there are several tools that can be used to find permissions groups. The Get-MsolRole PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts.Azure CLI (AZ CLI) and the Google Cloud Identity Provider API also provide interfaces to obtain permissions groups. The command az ad user get-member-groups will list groups associated to a user account for Azure while the API endpoint GET https://cloudidentity.googleapis.com/v1/groups lists group resources available to a user for Google.Adversaries may attempt to list ACLs for objects to determine the owner and other accounts with access to the object, for example, via the AWS GetBucketAcl API. Using this information an adversary can target accounts with permissions to a given object or leverage accounts they have already compromised to access the object.

Products, Sensors, and Dependencies

ProductDependenciesData sourceAccess requiredProtocolData CollectedNotes
Tenable Legacy Cloud SecurityAWSRead-onlyHTTPSList of Cloud Users, Groups and Memberships

Attack Path Technique Details

Framework: MITRE ATT&CK

Family: Discovery

Sub-Technique: Cloud Groups

Platform: AWS

Products Required: Tenable Cloud Security

Tenable Release Date: 2022 Q4