Finding source of TLSv1 call / Have IP from CloudTrail but not sure how to dig deeper

0

Hello!

I received a notice that there are connections within my AWS account using TLS v1. Over the last few days, I have set up CloudTrail to monitor connections and I finally had a TLSv1 connection show up in the Lake Query. It appears the majority of my access to AWS uses an appropriate TLS, as the TLSv1 connection took a while to show up, and as of this post, there have only been two TLSv1 connections.

Although I have found the connection in CloudTrail, I am not quite sure how to move forward in linking that connection to a source. I'm not sure if it's a connection between AWS Resources, or if it's from something on my servers accessing AWS.

Hopefully I can provide some information that will be helpful in guiding me in a direction to figure out the source, but if there's more info I can provide, please let me know.

Original Notice Region: us-east-1 S3 Bucket: <mybucket> APIAction: REST.GET.BUCKET

CloudTrail Lake Query EventSource: s3.amazonaws.com EventName: ListObjects EventType: AwsApiCall SourceIP: 35.93.148.248 / 52.11.56.67

It appears the SourceIPs belong to AWS us-west-2.compute services. My first theory was something pertaining to EC2 load balancer (which I have 2 of), but both of those use HTTP, not HTTPS. So I don't believe they are the culprit?

I know there are guides on how to enforce TLS1.2 throughout AWS, but I'm not quite sure where that needs to be applied as I'm not sure where exactly the TLSv1 connection is originating from. I would like to know what the source is before I move forward in attempting to block the TLSv1 connections.

Any help is greatly appreciated!

asked 2 years ago426 views
1 Answer
0
Accepted Answer

Hello,

You did the first part of finding the calls, the second part is indeed finding the source. Once you have the CloudTrail event, you can use the following fields to find the origin of the call:

  1. the sourceIp is useful if it's an elastic IP you own. You can see what it is associated it.
  2. the userAgent can indicate what service is doing the call (may show powershell, a SDK, curl or something else)
  3. the userIdentity field may indicate which principal and associated instance is used

Details of the record are described here: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html

Note that if your bucket is public, this IP may be an external public access and your options are:

  1. Enforce TLS 1.2 for this bucket: https://repost.aws/knowledge-center/s3-enforce-modern-tls
  2. Use a proxy in front of the bucket: https://repost.aws/knowledge-center/s3-access-old-tls

Hope it helps, Jon

profile pictureAWS
EXPERT
answered 2 years ago
profile picture
EXPERT
reviewed 5 months ago
  • Thank you so much for your reply and help Jon!

    The userAgent is not provided unfortunately, and the userIdentity properties are all null.

    The bucket is public, so I'm guessing you are correct in that it is being accessed externally. I do already utilize CloudFront, but perhaps there's somewhere I'm accessing the bucket without CloudFront - I will have to dig around a bit more.

    The plan is to enforce TLS 1.2 once I am confident there aren't going to be any issues with blocking that TLS 1 connection. Thankfully the TLS 1 connections are very rare, so it makes me think it's something externally accessing the bucket, and blocking it off shouldn't affect my application.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions