Elastic Security Detection Rules

AWS STS AssumeRole with New MFA Device

Last updated 4 months ago on 2025-08-20
Created a year ago on 2024-10-25

About

Identifies when a user has assumed a role using a new MFA device. Users can assume a role to obtain temporary credentials and access AWS resources using the AssumeRole API of AWS Security Token Service (STS). While a new MFA device is not always indicative of malicious behavior it should be verified as adversaries can use this technique for persistence and privilege escalation.
Tags
Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS STSUse Case: Identity and Access AuditTactic: Privilege EscalationTactic: PersistenceTactic: Lateral MovementLanguage: kuery
Severity
low
Risk Score
21
MITRE ATT&CK™

Persistence (TA0003)(external, opens in a new tab or window)

Modify Authentication Process (T1556)(external, opens in a new tab or window)

Privilege Escalation (TA0004)(external, opens in a new tab or window)

Abuse Elevation Control Mechanism (T1548)(external, opens in a new tab or window)

Lateral Movement (TA0008)(external, opens in a new tab or window)

Use Alternate Authentication Material (T1550)(external, opens in a new tab or window)

False Positive Examples
AWS administrators or automated processes might regularly assume roles for legitimate administrative purposes and to perform periodic tasks such as data backups, updates, or deployments.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
New Terms Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
filebeat-*logs-aws.cloudtrail-*
Related Integrations

aws(external, opens in a new tab or window)

Query
text code block:
event.dataset:aws.cloudtrail
    and event.provider:sts.amazonaws.com
    and event.action:(AssumeRole or AssumeRoleWithSAML or AssumeRoleWithWebIdentity)
    and event.outcome:success
    and aws.cloudtrail.flattened.request_parameters.serialNumber:*

Install detection rules in Elastic Security

Detect AWS STS AssumeRole with New MFA Device in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).