AWS Security Token Service (STS) AssumeRole Usage

edit

AWS Security Token Service (STS) AssumeRole Usage

edit

Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access AWS resources. An adversary could use those credentials to move laterally and escalate privileges.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-aws*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Cloud
  • AWS
  • Continuous Monitoring
  • SecOps
  • Identity and Access

Version: 4 (version history)

Added (Elastic Stack release): 7.16.0

Last modified (Elastic Stack release): 8.4.0

Rule authors: Austin Songer

Rule license: Elastic License v2

Potential false positives

edit

Automated processes that use Terraform may lead to false positives.

Investigation guide

edit

Rule query

edit
event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and
event.action:AssumedRole and
aws.cloudtrail.user_identity.session_context.session_issuer.type:Role
and event.outcome:success

Threat mapping

edit

Framework: MITRE ATT&CKTM

Rule version history

edit
Version 4 (8.4.0 release)
  • Updated query, changed from:

    event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and
    event.action:AssumedRole and
    aws.cloudtrail.user_identity.session_context.session_issuer.type:Role
    and event.outcome:success
Version 2 (8.1.0 release)
  • Formatting only