heroui logo

AWS STS Role Assumption by Service

Elastic Detection Rules

View Source
Summary
The rule detects instances where AWS services assume roles in the AWS Security Token Service (STS) for obtaining temporary credentials to access AWS resources. While the use of assumed roles may often be legitimate, adversarial actors can leverage this capability for unauthorized access, privilege escalation, or lateral movement within cloud environments. The detection is based on AWS CloudTrail logs, specifically monitoring for 'AssumeRole' actions initiated by service identities. Key investigative steps include confirming the initiating actor and role, analyzing session contexts, and inspecting user agents to identify anomalies. False positives may arise from legitimate administrative activities or automated tools. The rule employs a new terms detection approach, focusing on specific user identities and role ARNs, offering a low-risk scoring mechanism for prioritization.
Categories
  • Cloud
Data Sources
  • Cloud Service
  • Network Traffic
  • Application Log
ATT&CK Techniques
  • T1548
  • T1550
  • T1550.001
Created: 2021-05-17