Elastic Security Detection Rules

AWS STS GetSessionToken Usage

Last updated 15 days ago on 2025-11-03
Created 5 years ago on 2021-05-17

About

Identifies the use of GetSessionToken API calls by IAM users or Root Account. While this is a common and legitimate operation used to obtain temporary credentials, it also provides adversaries with a method to generate short-lived tokens for stealthy activity. Attackers who compromise IAM user access keys may call GetSessionToken to create temporary credentials, which they can then use to move laterally, escalate privileges, or persist after key rotation. This rule is intended as a BBR to establish patterns of typical STS usage and support correlation with higher-fidelity detections.
Tags
Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS STSUse Case: Identity and Access AuditTactic: Privilege EscalationTactic: Lateral MovementRule Type: BBRLanguage: kuery
Severity
low
Risk Score
21
MITRE ATT&CK™

Privilege Escalation (TA0004)(opens in a new tab or window)

Abuse Elevation Control Mechanism (T1548)(opens in a new tab or window)

Lateral Movement (TA0008)(opens in a new tab or window)

Use Alternate Authentication Material (T1550)(opens in a new tab or window)

False Positive Examples
GetSessionToken is widely used by legitimate automation, CLI users, and administrative scripts to acquire temporary credentials. Frequent, authorized usage is expected in most environments, especially where IAM users authenticate with MFA or use short-lived tokens. Review IAM and CI/CD users, SDKs, and service accounts that regularly perform this action and document them in an allowlist. Suppress or tune accordingly to reduce noise.
License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
filebeat-*logs-aws.cloudtrail-*
Related Integrations

aws(opens in a new tab or window)

Query
event.dataset: aws.cloudtrail 
  and event.provider: sts.amazonaws.com 
  and event.action: GetSessionToken 
  and event.outcome: success

Install detection rules in Elastic Security

Detect AWS STS GetSessionToken Usage in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).