Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Quick Start Security for Amazon CloudSearch

Amazon CloudSearch
Amazon CloudSearch icon

Coralogix Extension For Amazon CloudSearch Includes:

Alerts - 5

Stay on top of Amazon CloudSearch key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

Domain Names were Listed

This alert detects when all search domains owned by an account are listed. Impact Threat actors may attempt to list AWS CloudSearch domain names as part of their reconnaissance or information-gathering process. By obtaining a list of CloudSearch domain names, hackers can potentially identify potential targets for further attacks or exploit any misconfigurations or vulnerabilities associated with those domains. Mitigation Check if this action is legit and that the user is aware of it. If not, investigate it further. MITRE Tactic: TA0042 MITRE Technique: T1584 MITRE Sub-Technique: 001

Access policies updated for a domain

This alert detects when the access rules that control access to the domain's document and search endpoints are configured or updated. Impact Threat actors can update access policies for a domain to grant themselves unauthorized access to the domain, potentially compromising sensitive data or altering the search functionality. By modifying the access policies, hackers may also grant access to other unauthorized individuals or entities, increasing the risk of data breaches or unauthorized actions within the domain. Mitigation Check if this action is legit and that the user who performed this action is aware of it. If not, investigate it further. MITRE Tactic: TA0004 MITRE Technique: T1484

Index field was removed from a search domain

This alert detects whenever an Index field from the search domain is removed. Each document that you add to your search domain has a collection of fields that contain the data that can be searched or returned. Every document must have a unique document ID and at least one field. In your domain configuration, you define an index field for each of the fields that occur in your documents. Impact Threat actors may delete the index field from a search domain by gaining unauthorized access to an AWS account and the necessary permissions. Deleting an index field can result in the permanent removal of the field and its associated data from the search domain. Any search queries or operations relying on that field will no longer work as expected. Mitigation Check if this action is legit and that the user who performed this action should have permission to do so. If not, investigate it further. MITRE Tactic: TA0040 MITRE Technique: T1485

A domain was deleted

This alert detects when a search domain and all of its data is deleted. Note that once a domain has been deleted, it cannot be recovered. You can delete a domain from the Amazon CloudSearch console, using the aws cloudsearch delete-domain command, or using the AWS SDKs. Impact Threat actors can delete a search domain to impact the normal business operations of an organization. Mitigation Check if this action was intended and that the user had permission to carry out this action. If not, investigate further. Since this action is irreversible, it is recommended to provide the delete rights only to the selected users and keep additional measures in place to deal with intentional or unintentional deletions. MITRE Tactic: TA0040 MITRE Technique: T1531

A domain was created

This alert detects when a search domain is created. To search your data with Amazon CloudSearch, the first thing you need to do is create a search domain. If you have multiple collections of data that you want to make searchable, you can create multiple search domains. Impact If a threat actor gets appropriate privileges in an AWS account, they can create a CloudSearch domain to perform further malicious operations. This can also increase the billing amount for the targeted organization. Mitigation Check if this action was intended and that the user had permission to carry out this action. If not, delete the domain created and investigate further. MITRE Tactic: TA0042 MITRE Technique: T1584 MITRE Sub-Technique: 001

Integration

Learn more about Coralogix's out-of-the-box integration with Amazon CloudSearch in our documentation.

Read More
Schedule Demo