Cloud Service Modification (e52d89f9-1710-4708-88a5-cbef77c4cd5e)
Cloud service modification refers to changes made to the configuration, settings, or data of a cloud service. These modifications can include administrative changes such as enabling or disabling features, altering permissions, or deleting critical components. Monitoring these changes is critical to detect potential misconfigurations or malicious activity. Examples:
- AWS Cloud Service Modifications: A user disables AWS CloudTrail logging (StopLogging) or deletes a CloudWatch configuration rule (DeleteConfigRule).
- Azure Cloud Service Modifications: Changes to Azure Role-Based Access Control (RBAC) roles, such as adding a new Contributor role to a sensitive resource.
- Google Cloud Service Modifications: Deletion of a Google Cloud Storage bucket or disabling a Google Cloud Function.
- Office 365 Cloud Service Modifications: Altering mailbox permissions or disabling auditing in Microsoft 365.
This data component can be collected through the following measures:
Enable Cloud Audit Logging
- AWS: Enable AWS CloudTrail for logging management events such as StopLogging or DeleteTrail.
- Azure: Use Azure Activity Logs to monitor resource changes and access actions.
- Google Cloud: Enable Google Cloud Audit Logs to track API calls, resource modifications, and policy changes.
- Office 365: Use Unified Audit Logs in Microsoft Purview to track administrative actions.
Centralize Log Storage
- Consolidate logs from all cloud providers into a SIEM or CSPM (Cloud Security Posture Management) tool.
- Example: Use Splunk or Elastic Stack to ingest and analyze logs from AWS, Azure, and Google Cloud.
Automate Alerts for Sensitive Changes
- Configure alerts for high-risk actions, such as disabling logging or modifying IAM roles.
- AWS Example: Use AWS Config rules to detect and notify changes to critical services.
- Azure Example: Set up Azure Monitor alerts for write actions on sensitive resources.
Enable Continuous Monitoring
- Use tools like AWS Security Hub, Azure Defender, or Google Chronicle to continuously monitor cloud service modifications for anomalies.