suKTech24

AWS : Temporal Proximity – Linking Cloud Security Events Through Time

Weekly #13-2025 – By suktech24, Sun 3 Aug 2025, Estimated reading time : 6 mins

As cloud environments grow in complexity, so do the tactics used by attackers. One of the most effective ways to detect malicious activity in cloud environments is by analyzing the temporal proximity of event, i.e., how closely related actions occur in time. In AWS, where millions of events are logged daily, understanding temporal proximity can help us identify suspicious patterns, such as privilege escalation, lateral movement, or data exfiltration.

These three insightful resources inspired me to write this week blog post.

  1. Building Temporal Correlations in Threat Hunts, https://www.fortian.com.au/blog/temporal-correlations-in-threat-hunts.html ,
  2. Practical Temporal Proximity in KQL, https://attackthesoc.medium.com/practical-temporal-proximity-in-kql-57703a0acc18
  3. Detect and investigate Amazon EC2 malware with Amazon GuardDuty and Amazon Detective, https://aws.amazon.com/blogs/publicsector/detect-and-investigate-amazon-ec2-malware-with-amazon-guardduty-and-amazon-detective/

In this week, I will focus on how to apply temporal proximity in AWS security, sharing real-world examples and practical techniques.

  1. What is Temporal Proximity?
  2. Why Temporal Proximity Matters
  3. Detecting Credential Compromise and Privilege Escalation in AWS
    1. Scenario
    2. Temporal Proximity
    3. AWS CloudTrail Logs
  4. Possible Investigation Steps
  5. Remediation
  6. References

What is Temporal Proximity?

Temporal Proximity in Information Security refers to the occurrence of two or more related events, similar or different in nature, within a specific timespan, as defined by Dylan. This concept is essential for identifying patterns, correlations, and potential security incidents based on the timing and sequence of these events.”

For example:

  • A user logs in and immediately accesses sensitive S3 buckets.
  • An IAM role is created and used to launch EC2 instances within minutes.

By focusing on the timing of events, security teams can detect threats that might otherwise go unnoticed.

Why Temporal Proximity Matters

AWS environments generate a massive volume of logs, including CloudTrail, VPC Flow Logs, and GuardDuty findings. While these logs provide valuable data, the sheer volume logs can make it difficult to spot threats. Temporal proximity helps by:

  • Reducing Noise : Focusing on events that occur close together filters out benign activity.
  • Identifying Multi-Stage Attacks : Many cloud attacks involve multiple steps (e.g. credential theft followed by data exfiltration) executed in quick succession.
  • Enhancing Threat Hunting : By analyzing event timing, advanced threats that evade traditional detection methods can be uncovered.

Handling Noisy Detections: As James Fox noted in Building Temporal Correlations in Threat Hunts, noisy detections often produce weak indicators of malicious activity. By chaining these indicators using temporal proximity, you can build a cohesive attack narrative, reducing false positives. For example, in AWS, a ConsoleLogin from an unusual IP followed by an AddUserToGroup event within 30 minutes is more likely to indicate compromise than either event alone.

Detecting Credential Compromise and Privilege Escalation in AWS

Scenario

An attacker steals AWS IAM user credentials and logs in from an unrecognized IP address. Using the compromised account, they attempt to escalate privileges by adding themselves to a higher privileged group to gain broader access to AWS resources.

Temporal Proximity

Temporal proximity is key to detecting this attack. Suspicious activities might include :

  1. Login using stolen credentials (Cloudtrail event : ConsoleLogin)
    • ConsoleLogin event from an unusual IP
  2. Call AddUserToGroup to escalate privileges within mintues or hours
  3. Subsequent access to sensitive resources e.g. S3 buckets or EC2 instances

AWS CloudTrail Logs

Below are sample CloudTrail logs from AWS docs.

ConsoleLogin, IAM user, successful sign-in with MFA

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "IAMUser",
        "principalId": "EXAMPLE6E4XEGITWATV6R",
        "arn": "arn:aws:iam::999999999999:user/Anaya",
        "accountId": "999999999999",
        "userName": "Anaya"
    },
    "eventTime": "2023-07-19T22:01:30Z",
    "eventSource": "signin.amazonaws.com",
    "eventName": "ConsoleLogin",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "192.0.2.0",
    "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0",
    "requestParameters": null,
    "responseElements": {
        "ConsoleLogin": "Success"
    },
    "additionalEventData": {
        "LoginTo": "https://console.aws.amazon.com/console/home?hashArgs=%23&isauthcode=true&state=hashArgsFromTB_us-east-1_examplebde32f3c9",
        "MobileVersion": "No",
        "MFAIdentifier": "arn:aws:iam::999999999999:mfa/mfa-device",
        "MFAUsed": "Yes"
    },
    "eventID": "e1f76697-5beb-46e8-9cfc-EXAMPLEbde31",
    "readOnly": false,
    "eventType": "AwsConsoleSignIn",
    "managementEvent": true,
    "recipientAccountId": "999999999999",
    "eventCategory": "Management",
    "tlsDetails": {
        "tlsVersion": "TLSv1.3",
        "cipherSuite": "TLS_AES_128_GCM_SHA256",
        "clientProvidedHostHeader": "us-east-1.signin.aws.amazon.com"
    }
}

AddUserToGroup

  1. Below log shows a user being added to Admin group. If this event occurs shortly after a ConsoleLogin from a malicious or unrecognizedIP, it could indicate credential compromise followed by privilege escalabtion.
  2. AWS => aws iam add-user-to-group
{"Records": [{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "IAMUser",
        "principalId": "AIDA6ON6E4XEGIEXAMPLE",
        "arn": "arn:aws:iam::555555555555:user/Paulo",
        "accountId": "555555555555",
        "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
        "userName": "Paulo",
        "sessionContext": {
            "sessionIssuer": {},
            "webIdFederationData": {},
            "attributes": {
                "creationDate": "2023-07-19T21:11:57Z",
                "mfaAuthenticated": "false"
            }
        }
    },
    "eventTime": "2023-07-19T21:25:09Z",
    "eventSource": "iam.amazonaws.com",
    "eventName": "AddUserToGroup",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "192.0.2.0",
    "userAgent": "aws-cli/2.13.5 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/iam.add-user-to-group",
    "requestParameters": {
        "groupName": "Admin",
        "userName": "Jane"
    },
    "responseElements": null,
    "requestID": "ecd94349-b36f-44bf-b6f5-EXAMPLE9c463",
    "eventID": "2939ba50-1d26-4a5a-83bd-EXAMPLE85850",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "555555555555",
    "eventCategory": "Management",
    "tlsDetails": {
        "tlsVersion": "TLSv1.2",
        "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
        "clientProvidedHostHeader": "iam.amazonaws.com"
    },
    "sessionCredentialFromConsole": "true"
}]}

Possible Investigation Steps

  1. Review CloudTrail logs to identify the sequence of events within a short window timeframe
    • ConsoleLogin
    • AddUserToGroup
    • CreateAccessKey
    • AssumeRole
  2. Check user permission or role assumed permission
  3. Check Amazon GuardDuty findings to see if the followings are flagged and investigate related events in the same timeframe.
    • CredentialAccess:IAMUser/AnomalousBehaviour
      • This finding informs you that an anomalous API request was observed in your account. This finding may include a single API or a series of related API requests made in proximity by a single user identity. The API observed is commonly associated with defense evasion tactics where an adversary is trying to cover their tracks and avoid detection. APIs in this category are typically delete, disable, or stop operations, such as, DeleteFlowLogsDisableAlarmActions, or StopLogging.
    • UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B
      • This finding informs you that multiple successful console logins for the same IAM user were observed around the same time in various geographical locations. Such anomalous and risky access location patterns indicate potential unauthorized access to your AWS resources.
  4. Check IP source to cross reference against known IP range
  5. Analyze with Amazon Detective to vistualize the user’s activity timeline, and to identify other resources access e.g. S3 buckets, EC2 instances and any additional user, role, policy creation during the incident timeframe
  6. Filter out legitimate activities and tune detection as needed
    • These events could also be triggered by automated pipeline or admin scripts. e.g. Adding a new user to groups during onboarding a new team member
    • Whitelist known safe IP ranges
    • Suppress rule for expected behavior without blanket whitelisting

Remediation

Manual steps are listed below. You could also setup automatic disabling of a compromised IAM user in Splunk SOAR and AWS lambda.

  1. Deactivate credentails
    • list-access-keys – List access keys
      • Returns information about the access key IDs associated with the specified IAM user. If there is none, the operation returns an empty list.
      • aws iam list-access-keys --user-name Bob
    • Disable access keys
      • update-access-key – Changes the status of the specified access key from Active to Inactive, or vice versa. This operation can be used to disable a user’s key as part of a key rotation workflow.
      • aws iam update-access-key \
      • --access-key-id AKIAIOSFODNN7EXAMPLE \
      • --status Inactive \
      • --user-name Bob
      • This stop any API calls using that access-key
    • Remove or reset the password
      • delete-login-profile – Deletes the password for the specified IAM user or root user
      • aws iam delete-login-profile –user-name Bob
    • Detach all policies
      • detach-user-policy – Removes the specified managed policy from the specified user.
      • aws iam detach-user-policy \
      • –user-name Bob \
      • –policy-arn arn:aws:iam::123456789012:policy/TesterPolicy
    • Remove from groups
      • remove-user-from-group – Removes the specified user from the specified group.
      • aws iam remove-user-from-group \
      • –user-name Bob \
      • –group-name Admins
  2. Contact the account owner to confirm the compromise
  3. Rotate the credentials

References

  1. Building temporal correlations in Threat Hunts, James Fox, Cyber Security Operations Consultant, Feb 29 2024, https://www.fortian.com.au/blog/temporal-correlations-in-threat-hunts.html
  2. Detect and investigate Amazon EC2 malware with Amazon GuardDuty and Amazon Detective, https://aws.amazon.com/blogs/publicsector/detect-and-investigate-amazon-ec2-malware-with-amazon-guardduty-and-amazon-detective/
  3. Practical Temporal Proximity in KQL, https://attackthesoc.medium.com/practical-temporal-proximity-in-kql-57703a0acc18
  4. AWS CloudTrail Documentation
  5. Amazon Detective Analyzing finding groups, https://docs.aws.amazon.com/detective/latest/userguide/groups-about.html
  6. AWS GuardDuty Documentation
  7. AWS Athena Documentation
  8. Boto3 Documentation

Leave a comment