Alert received of access to ManagedOpenShift-Support-Role flagged as a security risk by AWS GuardDuty

Solution Verified - Updated -

Environment

  • Red Hat OpenShift Service on AWS (ROSA)
    • 4

Issue

  • Received alert in regards to someone trying to access the ManagedOpenShift-Support-Role within AWS account X000XX0XXX00 in AWS GuardDuty.
  • Want to confirm, is cluster accessed by Red Hat Operation team/ Site Reliability Engineer (SRE) due to security reasons?
  • AWS GuardDuty detected anomalous List* and Get* API calls by the user .

Resolution

  • If alerts are triggered with details on AWS GuardDuty, you can find out RH-SRE details as below:
    Principal ID: AROARRXGRORXXXXXXXXXX:RH-SRE-Xxxxx.openshift

Root Cause

  • Operation team/SRE observing and monitoring the cluster activity 24x7 , as well as receiving alerts for incidents. At that moment, SRE's try to rectify and resolve the issue. Thus, AWS GuardDuty received an alert of someone trying to access the ManagedOpenShift-Support-Role in AWS account.

Diagnostic Steps

  • If alerts are triggered with details on AWS GuardDuty as below:
Impact:IAMUser/AnomalousBehavior - AWS GD Finding ID: XXaXXXbXXXXXbacbeXfXadXcXaffXaXX
APIs commonly used in Impact tactics were invoked by user AssumedRole : ManagedOpenShift-Support-Role, under anomalous circumstances. Such activity is not typically seen from this user.

Summary: Remote IP XXX(.)XXX(.)XX.XXX from X City, <country name> made following Successful API calls to get details using assumed role mentioned above . As per AWS Guard Duty, Error Response was "UnauthorizedOperation" and "Error Response: AccessDenied" hence it looks like although API calls were successful, response was UnauthorizedOperation" and "Error Response: AccessDenied.

Account: XXXXXXXX - Xxxxx (xxx.abc.xx) - xxx-xxx-openshift (Xxx/ Non production)

Details:
Actor
=====
Caller type: Remote IP

IP address: XXX(.)ABC(.)XX.PQR

Location:
City: X
Country: Y

Action
=====
Action type: AWS_API_CALL
API: StopInstances
Service name: ec2.amazonaws.com
User agent: AWS Internal

First seen: 0X-0X-20XX 0X:0X:XX (x day ago)
Last seen: XX-XX-20XX 0X:0X:XX (x day ago)

Anomalous APIs (X)
===============
Successfully called

EC2: StopInstances
Error Response: UnauthorizedOperation

EC2: DescribeInstanceCreditSpecifications
Error Response: AccessDenied

Compute-optimizer: GetEnrollmentStatus
Logs: DescribeMetricFilters

Iam: GetInstanceProfile

Unusual behavior (Account)

ASN org: Abcd Group (XXXX)

Unusual behavior (User Identity)

API: StopInstances , DescribeInstanceCreditSpecifications , GetEnrollmentStatus , DescribeMetricFilters , GetInstanceProfile

ASN org: Abcd Group (XXXX)

Resource affected
===============
Resource role: TARGET

Resource type: AccessKey

Access key ID: XXXXXXXXXXXXXX

Principal ID: AROARRXGRORXXXXXXXXXX:RH-SRE-Xxxxx.openshift

User type: AssumedRole

User name: ManagedOpenShift-Support-Role

Severity: HIGH

Region: xxx-xxxx-X
Count: X
Account ID: XXXXXXXX

Investigation:
GuardDuty / Detective investigation into the activity shows
Error Response: UnauthorizedOperation

EC2: DescribeInstanceCreditSpecifications
Error Response: AccessDenied

IP Check:
OSINT for the IP via Virus Total resulted in IP Clean.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments