Elastic Security Detection Rules

AWS STS GetFederationToken with AdministratorAccess in Request

Last updated 25 days ago on 2026-04-08
Created 25 days ago on 2026-04-08

About

Identifies successful calls to AWS STS GetFederationToken where request parameters reference AdministratorAccess. This API returns temporary security credentials for a federated user with permissions bounded by the calling IAM user and any inline session policy passed in the request. Supplying or referencing the AWS managed AdministratorAccess policy (or an equivalent string in the policy payload) can grant broadly privileged temporary credentials and may indicate privilege abuse or dangerous automation.
Tags
Domain: CloudDomain: IdentityData Source: AWSData Source: Amazon Web ServicesData Source: AWS STSUse Case: Threat DetectionTactic: Privilege EscalationTactic: Lateral MovementLanguage: kuery
Severity
high
Risk Score
73
MITRE ATT&CK™

Privilege Escalation (TA0004)(external, opens in a new tab or window)

Abuse Elevation Control Mechanism (T1548)(external, opens in a new tab or window)

Lateral Movement (TA0008)(external, opens in a new tab or window)

Use Alternate Authentication Material (T1550)(external, opens in a new tab or window)

False Positive Examples
Highly unusual for legitimate workflows to embed or reference full administrator access in GetFederationToken session policies; if found, it is often legacy or misconfigured tooling. Confirm with the owning team and replace with least-privilege session policies. Tune only after documented approval.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
filebeat-*logs-aws.cloudtrail-*
Related Integrations

aws(external, opens in a new tab or window)

Query
text code block:
event.dataset: "aws.cloudtrail"
    and event.provider: "sts.amazonaws.com"
    and event.action: "GetFederationToken"
    and event.outcome: "success"
    and aws.cloudtrail.request_parameters: *AdministratorAccess*

Install detection rules in Elastic Security

Detect AWS STS GetFederationToken with AdministratorAccess in Request in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).