Amazon Web Services’ Simple Notification Service (AWS SNS), a useful tool for linking applications and people, has unfortunately attracted the attention of cybercriminals. This tool, originally designed for simple communication, is now being exploited to steal sensitive data and execute phishing schemes, bypassing typical security measures.
AWS SNS allows systems and individuals to communicate with one another, much like a digital noticeboard. Due to its flexibility and reach, this cloud-based technology is beneficial for businesses, but it is also becoming a target.
Although AWS SNS provides scalability and smooth connectivity for businesses, its misuse for data theft and phishing has raised considerable privacy and security concerns.
AWS Simple Notification Service (SNS) is a cloud-based pub/sub communication tool. It enables users to send notifications to various endpoints, including email, SMS, or mobile push alerts. Despite its strong architecture, AWS SNS is vulnerable to misconfigurations.
Elastic Logic Detects SNS Abnormalities in AWS Threat Detection
The attack exploits authentic AWS functionality. It generates SNS topics, subscribes to external email addresses, and publishes sensitive data using API calls that simulate typical AWS activity. This solution avoids security groups, network ACLs, and other standard network protections because all communication takes place within the secure AWS architecture.
Analysts at Elastic Security Labs uncovered that adversaries with access to EC2 instances can exploit attached IAM roles with SNS permissions. Attackers can quickly create exfiltration channels with these privileges. The investigation revealed that attackers can create topics and external email subscriptions using native AWS CLI commands to exfiltrate stolen data.
The fact that this exfiltration method leaves minimal forensic trace and mixes in perfectly with allowed traffic makes it highly suspicious. Businesses with permissive IAM policies or monitoring gaps might not detect this activity until after sensitive data breaches.
Technically, it is simple and just takes a basic understanding of the AWS CLI. After gaining access to an EC2 instance, an attacker can create an exfiltration channel by running a few commands.
One useful tool for identifying odd API activity that can point to SNS misuse is CloudTrail audit logs. Security teams can quickly identify unusual activities like unexpected topic creation or strange subscription activities by focussing on assumed roles associated with EC2 instances.
Elastic’s New Terms logic detects first-time occurrences such as the unexpected launch of an SNS topic, subscriptions utilising external email addresses, and significant surges in direct-to-phone messaging.
Threat hunting queries detect certain information, such as user-agent strings or request parameters, in CloudTrail logs to assist identify any security vulnerabilities. Companies can identify uncommon activity and infrequent topic creation, for instance, by examining data like EC2 instance IDs and locations.
Analysing email subscriptions by protocol type can also reveal unauthorised external endpoints, and monitoring publish actions that include phone numbers can help identify smishing campaigns.
Although AWS SNS is a useful tool for businesses, there are significant risks if it is not properly configured or monitored. Organisations can effectively minimise these risks by identifying vulnerabilities and implementing clear detection tactics based on CloudTrail data.
As cloud environments change, keeping robust security requires being proactive, putting in place strong IAM controls based on the least privilege principle, and thoroughly recording all SNS activity.
Security Awareness Training makes it easier for people to spot basic red flags, and with regular simulated testing, you can ensure your business is better protected from cyberattacks. Book your free Phishing Tackle demo today.
