AWS EC2 Instance Console Login via Assumed Role

  1[metadata]
  2creation_date = "2024/07/24"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/11/05"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects successful AWS Management Console or federation login activity performed using an EC2 instance’s assumed role
 11credentials. EC2 instances typically use temporary credentials to make API calls, not to authenticate interactively via
 12the console. A successful "ConsoleLogin" or "GetSigninToken" event using a session pattern that includes "i-" (the EC2
 13instance ID) is highly anomalous and may indicate that an adversary obtained the instance’s temporary credentials from
 14the instance metadata service (IMDS) and used them to access the console. Such activity can enable lateral movement,
 15privilege escalation, or persistence within the AWS account.
 16"""
 17event_category_override = "event.type"
 18false_positives = [
 19    """
 20    This is very uncommon behavior and should result in minimal false positives, ensure validity of the triggered event
 21    and include exceptions where necessary.
 22    """,
 23]
 24from = "now-6m"
 25index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 26language = "eql"
 27license = "Elastic License v2"
 28name = "AWS EC2 Instance Console Login via Assumed Role"
 29note = """## Triage and analysis
 30
 31> **Disclaimer**:
 32> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 33
 34### Investigating AWS EC2 Instance Console Login via Assumed Role
 35
 36This rule detects successful AWS console or federation logins using temporary credentials tied to EC2 instance profiles. Under normal conditions, EC2 instances use their temporary credentials for programmatic API access — **not** for interactive console sessions. When an attacker gains access to an instance’s IMDS (Instance Metadata Service) or its environment variables, they may retrieve temporary STS credentials and attempt console logins to gain full access to the AWS account. A successful login of this type is rare and high-risk, as it strongly suggests credential theft or unauthorized session hijacking.
 37
 38#### Possible investigation steps
 39
 40- **Identify the source and actor**
 41  - Review `aws.cloudtrail.user_identity.arn`, `user.id`, and `user_agent.original` fields to confirm the session originated from an EC2 instance (`:i-` pattern).
 42  - Correlate the instance ID (`i-xxxxxx`) with the specific EC2 instance in your environment to identify its owner, purpose, and running applications.
 43  - Check `source.ip` and `cloud.region` to determine if the login originated from within AWS infrastructure (expected) or an external location (suspicious).
 44
 45- **Correlate surrounding activity**
 46  - Pivot in Timeline to view the sequence of events leading up to the login, including:
 47    - STS token retrievals (`GetSessionToken`, `AssumeRole`, `GetCallerIdentity`)
 48    - Calls to the IMDS endpoint or local credential exfiltration attempts from the instance.
 49  - Investigate whether the same role or credentials were used for API actions following the login (e.g., `CreateUser`, `AttachRolePolicy`, or `ListBuckets`).
 50
 51- **Assess IAM role exposure**
 52  - Determine which IAM role was associated with the instance at the time of the event and review its attached permissions.
 53  - Evaluate whether the role grants console access or permissions beyond what that workload normally requires.
 54  - Check for any recent changes to that role’s trust policy or attached policies.
 55
 56- **Validate authorization**
 57  - Contact the EC2 instance owner or service team to confirm if any legitimate process should be logging in to the console.
 58  - If no legitimate activity can explain the login, treat the credentials as compromised.
 59
 60### False positive analysis
 61
 62This is very uncommon behavior.  
 63Known legitimate causes include:
 64- AWS or internal security automation that programmatically initiates console sessions for validation or testing.
 65- Forensic or incident-response automation that logs in using temporary credentials from a compromised instance.
 66- Red-team or penetration-testing activity designed to validate IMDS exposure or lateral movement scenarios.
 67
 68For any other occurrence, treat the alert as potentially malicious.  
 69Validate through:
 70- The originating instance’s purpose and owner.
 71- Known automation patterns in `user_agent.original`.
 72- The timestamp alignment with planned testing or security validation.
 73
 74### Response and remediation
 75
 76- **Immediate containment**
 77  - Revoke the temporary credentials for the affected role (`aws sts revoke-session-token` or rotate the role credentials).
 78  - Isolate the associated EC2 instance (e.g., detach it from the VPC or security groups) to prevent further credential misuse.
 79  - Invalidate active console sessions via AWS CLI or the AWS Console.
 80
 81- **Investigation and scoping**
 82  - Review CloudTrail logs for all actions associated with the compromised role in the preceding 24 hours.
 83  - Determine if additional roles or instances show similar `ConsoleLogin` patterns.
 84  - Search for network indicators of IMDS exploitation (e.g., requests to `169.254.169.254` from unauthorized binaries or users).
 85
 86- **Recovery and hardening**
 87  - Rotate all credentials for affected roles and users.
 88  - Apply IMDSv2 enforcement to prevent credential harvesting from EC2 metadata.
 89  - Implement restrictive IAM policies: deny console access (`iam:PassRole`, `sts:GetFederationToken`) for non-human roles.
 90
 91### Additional information
 92- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
 93- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
 94- **Security Best Practices:** [AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).
 95"""
 96references = [
 97    "https://redcanary.com/blog/aws-sts/",
 98    "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html/",
 99]
100risk_score = 73
101rule_id = "d1e5e410-3e34-412e-9b1f-dd500b3b55cd"
102severity = "high"
103tags = [
104    "Domain: Cloud",
105    "Data Source: AWS",
106    "Data Source: Amazon Web Services",
107    "Data Source: AWS EC2",
108    "Data Source: AWS STS",
109    "Data Source: AWS Sign-In",
110    "Use Case: Identity and Access Audit",
111    "Tactic: Lateral Movement",
112    "Tactic: Credential Access",
113    "Tactic: Persistence",
114    "Resources: Investigation Guide",
115]
116timestamp_override = "event.ingested"
117type = "eql"
118
119query = '''
120info where event.dataset == "aws.cloudtrail"
121   and event.provider == "signin.amazonaws.com"
122   and event.action in ("ConsoleLogin", "GetSigninToken")
123   and event.outcome == "success"
124   and aws.cloudtrail.user_identity.type == "AssumedRole"
125   and stringContains (user.id, ":i-")
126'''
127
128
129[[rule.threat]]
130framework = "MITRE ATT&CK"
131[[rule.threat.technique]]
132id = "T1021"
133name = "Remote Services"
134reference = "https://attack.mitre.org/techniques/T1021/"
135[[rule.threat.technique.subtechnique]]
136id = "T1021.007"
137name = "Cloud Services"
138reference = "https://attack.mitre.org/techniques/T1021/007/"
139
140
141[[rule.threat.technique]]
142id = "T1550"
143name = "Use Alternate Authentication Material"
144reference = "https://attack.mitre.org/techniques/T1550/"
145[[rule.threat.technique.subtechnique]]
146id = "T1550.001"
147name = "Application Access Token"
148reference = "https://attack.mitre.org/techniques/T1550/001/"
149
150
151
152[rule.threat.tactic]
153id = "TA0008"
154name = "Lateral Movement"
155reference = "https://attack.mitre.org/tactics/TA0008/"
156[[rule.threat]]
157framework = "MITRE ATT&CK"
158[[rule.threat.technique]]
159id = "T1078"
160name = "Valid Accounts"
161reference = "https://attack.mitre.org/techniques/T1078/"
162[[rule.threat.technique.subtechnique]]
163id = "T1078.004"
164name = "Cloud Accounts"
165reference = "https://attack.mitre.org/techniques/T1078/004/"
166
167
168
169[rule.threat.tactic]
170id = "TA0003"
171name = "Persistence"
172reference = "https://attack.mitre.org/tactics/TA0003/"
173[[rule.threat]]
174framework = "MITRE ATT&CK"
175[[rule.threat.technique]]
176id = "T1552"
177name = "Unsecured Credentials"
178reference = "https://attack.mitre.org/techniques/T1552/"
179[[rule.threat.technique.subtechnique]]
180id = "T1552.005"
181name = "Cloud Instance Metadata API"
182reference = "https://attack.mitre.org/techniques/T1552/005/"
183
184
185
186[rule.threat.tactic]
187id = "TA0006"
188name = "Credential Access"
189reference = "https://attack.mitre.org/tactics/TA0006/"
190
191[rule.investigation_fields]
192field_names = [
193    "@timestamp",
194    "user.name",
195    "user_agent.original",
196    "source.ip",
197    "aws.cloudtrail.user_identity.arn",
198    "aws.cloudtrail.user_identity.type",
199    "aws.cloudtrail.user_identity.access_key_id",
200    "event.action",
201    "event.outcome",
202    "cloud.account.id",
203    "cloud.region",
204    "aws.cloudtrail.response_elements",
205]