Elastic Security Detection Rules

AWS AssumeRoleWithWebIdentity from Kubernetes SA and External ASN

Last updated 11 days ago on 2026-04-22
Created 11 days ago on 2026-04-22

About

Detects successful `AssumeRoleWithWebIdentity` where the caller identity is a Kubernetes service account and the source autonomous system organization is present but not `Amazon.com, Inc.` EKS workloads that obtain IAM credentials via IAM Roles for Service Accounts (IRSA) normally reach STS from AWS-managed or AWS-associated networks; the same identity from a clearly external ASN can indicate a stolen or misused projected service-account token being exchanged for IAM credentials off-cluster.
Tags
Domain: CloudDomain: IdentityData Source: AWSData Source: Amazon Web ServicesData Source: AWS CloudTrailUse Case: Threat DetectionTactic: Initial AccessLanguage: kuery
Severity
high
Risk Score
73
MITRE ATT&CK™

Initial Access (TA0001)(external, opens in a new tab or window)

Valid Accounts (T1078)(external, opens in a new tab or window)

False Positive Examples
Traffic may leave the cluster via corporate proxies, VPNs, or non-AWS NAT providers that populate a non-Amazon ASN organization name while still being legitimate. AWS IP ranges are also labeled with other organization strings (for example `AMAZON-02`); this rule only excludes `Amazon.com, Inc.` per the match condition—tune with additional approved ASNs, CIDRs, or known automation identities if needed.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
filebeat-*logs-aws.cloudtrail-*
Related Integrations

aws(external, opens in a new tab or window)

Query
text code block:
data_stream.dataset:aws.cloudtrail and 
 event.provider:sts.amazonaws.com and 
 event.action:AssumeRoleWithWebIdentity and 
 event.outcome:success and user.name:system\:serviceaccount\:* and 
 source.as.organization.name:(* and not (Amazon* or AMAZON*))

Install detection rules in Elastic Security

Detect AWS AssumeRoleWithWebIdentity from Kubernetes SA and External ASN in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).