
Summary
This detection rule identifies brute force attempts to assume AWS IAM roles by analyzing AWS CloudTrail logs for multiple failed `AssumeRole` requests. The rule specifically looks for `MalformedPolicyDocumentException` error responses indicating status failure, revealing attempts to guess role names. By monitoring these failed attempts, the rule seeks to flag adversarial behavior that can lead to unauthorized access to AWS resources, thus safeguarding sensitive data and services from potential breaches. Tuning may be necessary to adapt to legitimate failures from known sources such as corporate offices or various user groups.
Categories
- Cloud
- AWS
Data Sources
- Pod
- Cloud Service
- Logon Session
- Application Log
ATT&CK Techniques
- T1580
- T1110
Created: 2025-01-08