Elastic Security Detection Rules

AWS STS Role Assumption by User

Last updated 14 days ago on 2024-11-07
Created 16 days ago on 2024-11-05

About

Identifies when a user or role has assumed a role in AWS Security Token Service (STS). Users can assume a role to obtain temporary credentials and access AWS resources. Adversaries can use this technique for credential access and privilege escalation. This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that identifies when a service assumes a role in AWS Security Token Service (STS) to obtain temporary credentials and access AWS resources. While often legitimate, adversaries may use this technique for unauthorized access, privilege escalation, or lateral movement within an AWS environment.
Tags
Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS STSUse Case: Identity and Access AuditTactic: Privilege Escalation
Severity
low
Risk Score
21
MITRE ATT&CK™

Privilege Escalation (TA0004)(opens in a new tab or window)

Abuse Elevation Control Mechanism (T1548)(opens in a new tab or window)

Lateral Movement (TA0008)(opens in a new tab or window)

Use Alternate Authentication Material (T1550)(opens in a new tab or window)

False Positive Examples
AWS administrators or automated processes might regularly assume roles for legitimate administrative purposes.Applications integrated with AWS might assume roles to access AWS resources.Automated workflows might assume roles to perform periodic tasks such as data backups, updates, or deployments.
License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
New Terms Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
filebeat-*logs-aws.cloudtrail-*
Related Integrations

aws(opens in a new tab or window)

Query
event.dataset: "aws.cloudtrail"
    and event.provider: "sts.amazonaws.com"
    and event.action: "AssumeRole"
    and event.outcome: "success"
    and aws.cloudtrail.user_identity.type: ("AssumedRole" or "IAMUser")

Install detection rules in Elastic Security

Detect AWS STS Role Assumption by User in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).