search

ministryofjustice / modernisation-platform

A place for the core work of the Modernisation Platform • This repository is defined and managed in Terraform
https://user-guide.modernisation-platform.service.justice.gov.uk
MIT License
683 stars 290 forks source link

High Severity Issue in AWS Security Hub #6671

Closed sukeshreddyg closed 5 months ago

sukeshreddyg commented 6 months ago

Expected Behavior

The expected behavior would be for IAM entities to interact with S3 using standard, approved methods without triggering any unusual behavior alerts in AWS Security Hub or GuardDuty.

Actual Behavior

IAM entities are invoking S3 API calls in an unusual manner, triggering alerts related to Exfiltration:S3/AnomalousBehavior in AWS Security Hub. This behavior is specifically related to the bastion module interaction with S3 in the pra-register-production environment.

https://mojdt.slack.com/archives/C01A7QK5VM1/p1711550490256409

Steps to Reproduce the Problem

No response

Version

No response

Modules

Bastion Module

Account

pra-register-production

SimonPPledger commented 6 months ago

Sukesh to talk to App team - and suggest it is monitored

sukeshreddyg commented 5 months ago

Discussed this with the user. If they encounter something like this in the future, I asked them to inform us or raise the issue in the ask channel.