Step 2: Detection, Review AWS CloudTrail logs for API calls originating from unexpected source IPs or service principals associated with Trivy execution environments. Query for anomalous S3 GetObject, ListBuckets, or IAM ListKeys activity from CI/CD runner IPs. Search pipeline logs for Trivy execution events occurring with outbound connections to endpoints outside Aqua Security official registries, public container registries (Docker Hub, ECR, GCR), and known artifact repositories in your environment. Look for large-volume data transfer events (S3 or equivalent) not associated with known automation jobs. IOC patterns: unexpected AWS API calls from scanner host IPs, credential use outside pipeline execution windows, bulk object enumeration or download events.
Detection & Analysis
NIST 800-61r3 §3.2 — Detection and Analysis
NIST IR-5 (Incident Monitoring)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
NIST AU-12 (Audit Record Generation)
NIST SI-4 (System Monitoring)
CIS 8.2 (Collect Audit Logs)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
Compensating Control
Query CloudTrail without a SIEM using AWS CLI: `aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=ListBuckets --start-time 2025-01-01 --output json | jq '.Events[] | {Time: .EventTime, User: .Username, IP: .CloudTrailEvent | fromjson | .sourceIPAddress}'`. Pivot to S3 data plane logs (must be enabled separately in S3 bucket logging) and grep for GetObject volume spikes: `grep -E 'REST.GET.OBJECT' s3_access.log | awk '{print $1, $2, $8, $9}' | sort | uniq -c | sort -rn | head -50`. For pipeline-level correlation, parse GitHub Actions or GitLab CI job logs to extract Trivy execution timestamps and cross-reference against CloudTrail `sourceIPAddress` matching runner egress IPs. Use the free Sigma rule `aws_cloudtrail_iam_enumeration.yml` (SigmaHQ repository) to structure manual queries if forwarding to a log aggregator.
Preserve Evidence
Capture before analysis: (1) S3 server access logs from all buckets accessible to the compromised Trivy IAM key — look for `REST.GET.OBJECT` and `REST.GET.BUCKET` events totaling toward the 92 GB exfiltration volume, with `sourceIPAddress` values not matching known CI/CD runner egress ranges; (2) CloudTrail `ListBuckets`, `GetBucketLocation`, `GetObject`, `ListObjects`, and `IAM:ListAccessKeys` events attributed to the compromised key ID — these map to MITRE ATT&CK T1530 (Data from Cloud Storage) and T1087.004 (Cloud Account Discovery); (3) VPC Flow Logs or AWS Network Firewall logs showing outbound connections from CI/CD runner subnets to non-whitelisted external IPs during or immediately after Trivy scan job execution; (4) CI/CD pipeline execution logs (GitHub Actions workflow run logs, GitLab CI job traces) showing Trivy invocation timestamps and any anomalous post-scan subprocess or network activity; (5) AWS GuardDuty finding `UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS` if GuardDuty was active — this finding type specifically flags credential use from IPs external to AWS infrastructure.
