| ▲ | nsonha 10 hours ago |
| There are logs for accessing aws resources and if you don't see the access before you revoke it then the data is safe |
|
| ▲ | MrDarcy 10 hours ago | parent | next [-] |
| Unless the attacker used any one of hundreds of other avenues to access the AWS resource. Are you sure they didn’t get a service account token from some other service then use that to access customer data? I’ve never seen anyone claim in writing all permutations are exhaustively checked in the audit logs. |
| |
| ▲ | otterley 9 hours ago | parent | next [-] | | It depends on what kind of access we're talking about. If we're talking about AWS resource mutations, one can trust CloudTrail to accurately log those actions. CloudTrail can also log data plane events, though you have to turn it on, and it costs extra. Similarly, RDS access logging is pretty trustworthy, though functionality varies by engine. | |
| ▲ | johncolanduoni 5 hours ago | parent | prev [-] | | Ideally you should have a clear audit log of all developer actions that access production resources, and clear records of custody over any shared production credentials (e.g. you should be able to show the database password used by service A is not available outside of it, and that no malicious code was deployed to service A). A lot of places don't do this, of course, but often you can come up with a pretty good circumstantial case that it was unlikely that exfiltration occurred over the time range in question. |
|
|
| ▲ | 2 hours ago | parent | prev | next [-] |
| [deleted] |
|
| ▲ | zymhan an hour ago | parent | prev [-] |
| Because an attacker would never cover their tracks... |
