AWS EC2 Instance Console Login via Assumed Role

Identifies a successful console login activity by an EC2 instance profile using an assumed role. This is uncommon behavior and could indicate an attacker using compromised credentials to further exploit an environment. An EC2 instance assumes a role using their EC2 ID as the session name. This rule looks for the pattern "i-" which is the beginning pattern for assumed role sessions started by an EC2 instance and a successful ConsoleLogin or GetSigninToken API call.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2024/07/24"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies a successful console login activity by an EC2 instance profile using an assumed role. This is uncommon behavior and could indicate an attacker using compromised credentials to further exploit an environment. An EC2 instance assumes a role using their EC2 ID as the session name. This rule looks for the pattern "i-" which is the beginning pattern for assumed role sessions started by an EC2 instance and a successful `ConsoleLogin` or `GetSigninToken` API call.
 11"""
 12false_positives = ["This is very uncommon behavior and should result in minimal false positives, ensure validity of the triggered event and include exceptions where necessary."]
 13from = "now-6m"
 14index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "AWS EC2 Instance Console Login via Assumed Role"
 18references = [
 19    "https://redcanary.com/blog/aws-sts/",
 20    "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html/",
 21]
 22risk_score = 73
 23rule_id = "d1e5e410-3e34-412e-9b1f-dd500b3b55cd"
 24severity = "high"
 25tags = [
 26    "Domain: Cloud",
 27    "Data Source: AWS",
 28    "Data Source: Amazon Web Services",
 29    "Data Source: AWS EC2",
 30    "Data Source: AWS STS",
 31    "Use Case: Identity and Access Audit",
 32    "Tactic: Lateral Movement",
 33    "Tactic: Credential Access",
 34    "Resources: Investigation Guide",
 35]
 36timestamp_override = "event.ingested"
 37type = "eql"
 38
 39query = '''
 40any where event.dataset == "aws.cloudtrail"
 41   and event.provider == "signin.amazonaws.com"
 42   and event.action in ("ConsoleLogin", "GetSigninToken")
 43   and event.outcome == "success"
 44   and aws.cloudtrail.user_identity.type == "AssumedRole"
 45   and stringContains (user.id, ":i-")
 46'''
 47note = """## Triage and analysis
 48
 49> **Disclaimer**:
 50> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 51
 52### Investigating AWS EC2 Instance Console Login via Assumed Role
 53
 54AWS EC2 instances can assume roles to access resources securely, using temporary credentials. This mechanism, while essential for legitimate operations, can be exploited by adversaries who gain access to EC2 credentials, allowing them to assume roles and perform unauthorized actions. The detection rule identifies unusual console login activities by EC2 instances, flagging potential misuse by checking for specific session patterns and successful login events, thus helping to uncover lateral movement or credential access attempts.
 55
 56### Possible investigation steps
 57
 58- Review the CloudTrail logs for the specific event where event.dataset is "aws.cloudtrail" and event.provider is "signin.amazonaws.com" to gather more details about the login event.
 59- Identify the EC2 instance associated with the session by examining the user.id field for the pattern ":i-" and correlate it with known EC2 instance IDs in your environment.
 60- Check the AWS CloudTrail logs for any other activities performed by the same assumed role session to identify any unauthorized actions or lateral movement attempts.
 61- Investigate the source IP address and geolocation of the login event to determine if it aligns with expected access patterns for your organization.
 62- Verify the IAM role policies and permissions associated with the assumed role to assess the potential impact of the unauthorized access.
 63- Review recent changes to the IAM roles and policies to identify any unauthorized modifications that could have facilitated the assumed role access.
 64- Contact the instance owner or relevant team to confirm if the login activity was expected or authorized, and take appropriate action if it was not.
 65
 66### False positive analysis
 67
 68- Routine administrative tasks: EC2 instances may assume roles for legitimate administrative purposes, such as automated deployments or maintenance tasks. To manage this, identify and whitelist known administrative session patterns or specific instance IDs that regularly perform these tasks.
 69- Monitoring and logging services: Some monitoring or logging services might use assumed roles to access AWS resources for data collection. Review and exclude these services by identifying their specific session patterns or instance IDs.
 70- Scheduled jobs or scripts: Automated scripts or scheduled jobs running on EC2 instances might assume roles for resource access. Document these jobs and create exceptions for their session patterns to prevent false alerts.
 71- Development and testing environments: Instances in development or testing environments might frequently assume roles for testing purposes. Consider excluding these environments from the rule or creating specific exceptions for known testing activities.
 72- Third-party integrations: Some third-party tools or integrations might require EC2 instances to assume roles for functionality. Verify these integrations and exclude their session patterns or instance IDs from triggering alerts.
 73
 74### Response and remediation
 75
 76- Immediately revoke the temporary credentials associated with the compromised EC2 instance to prevent further unauthorized access.
 77- Isolate the affected EC2 instance from the network to contain any potential lateral movement by the attacker.
 78- Conduct a thorough review of CloudTrail logs to identify any unauthorized actions performed using the assumed role and assess the extent of the compromise.
 79- Reset and rotate all credentials and access keys associated with the compromised EC2 instance and any other potentially affected resources.
 80- Implement stricter IAM policies and role permissions to limit the scope of access for EC2 instances, ensuring the principle of least privilege is enforced.
 81- Notify the security operations team and relevant stakeholders about the incident for further investigation and to initiate any necessary legal or compliance procedures.
 82- Enhance monitoring and alerting mechanisms to detect similar patterns of unusual console login activities in the future, ensuring rapid response to potential threats."""
 83
 84
 85[[rule.threat]]
 86framework = "MITRE ATT&CK"
 87[[rule.threat.technique]]
 88id = "T1021"
 89name = "Remote Services"
 90reference = "https://attack.mitre.org/techniques/T1021/"
 91[[rule.threat.technique.subtechnique]]
 92id = "T1021.007"
 93name = "Cloud Services"
 94reference = "https://attack.mitre.org/techniques/T1021/007/"
 95
 96[[rule.threat.technique]]
 97id = "T1550"
 98name = "Use Alternate Authentication Material"
 99reference = "https://attack.mitre.org/techniques/T1550/"
100[[rule.threat.technique.subtechnique]]
101id = "T1550.001"
102name = "Application Access Token"
103reference = "https://attack.mitre.org/techniques/T1550/001/"
104
105
106[rule.threat.tactic]
107id = "TA0008"
108name = "Lateral Movement"
109reference = "https://attack.mitre.org/tactics/TA0008/"
110
111
112[[rule.threat]]
113framework = "MITRE ATT&CK"
114
115[rule.threat.tactic]
116id = "TA0006"
117name = "Credential Access"
118reference = "https://attack.mitre.org/tactics/TA0006/"
...
toml

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

AWS EC2 instances can assume roles to access resources securely, using temporary credentials. This mechanism, while essential for legitimate operations, can be exploited by adversaries who gain access to EC2 credentials, allowing them to assume roles and perform unauthorized actions. The detection rule identifies unusual console login activities by EC2 instances, flagging potential misuse by checking for specific session patterns and successful login events, thus helping to uncover lateral movement or credential access attempts.

  • Review the CloudTrail logs for the specific event where event.dataset is "aws.cloudtrail" and event.provider is "signin.amazonaws.com" to gather more details about the login event.
  • Identify the EC2 instance associated with the session by examining the user.id field for the pattern ":i-" and correlate it with known EC2 instance IDs in your environment.
  • Check the AWS CloudTrail logs for any other activities performed by the same assumed role session to identify any unauthorized actions or lateral movement attempts.
  • Investigate the source IP address and geolocation of the login event to determine if it aligns with expected access patterns for your organization.
  • Verify the IAM role policies and permissions associated with the assumed role to assess the potential impact of the unauthorized access.
  • Review recent changes to the IAM roles and policies to identify any unauthorized modifications that could have facilitated the assumed role access.
  • Contact the instance owner or relevant team to confirm if the login activity was expected or authorized, and take appropriate action if it was not.
  • Routine administrative tasks: EC2 instances may assume roles for legitimate administrative purposes, such as automated deployments or maintenance tasks. To manage this, identify and whitelist known administrative session patterns or specific instance IDs that regularly perform these tasks.
  • Monitoring and logging services: Some monitoring or logging services might use assumed roles to access AWS resources for data collection. Review and exclude these services by identifying their specific session patterns or instance IDs.
  • Scheduled jobs or scripts: Automated scripts or scheduled jobs running on EC2 instances might assume roles for resource access. Document these jobs and create exceptions for their session patterns to prevent false alerts.
  • Development and testing environments: Instances in development or testing environments might frequently assume roles for testing purposes. Consider excluding these environments from the rule or creating specific exceptions for known testing activities.
  • Third-party integrations: Some third-party tools or integrations might require EC2 instances to assume roles for functionality. Verify these integrations and exclude their session patterns or instance IDs from triggering alerts.
  • Immediately revoke the temporary credentials associated with the compromised EC2 instance to prevent further unauthorized access.
  • Isolate the affected EC2 instance from the network to contain any potential lateral movement by the attacker.
  • Conduct a thorough review of CloudTrail logs to identify any unauthorized actions performed using the assumed role and assess the extent of the compromise.
  • Reset and rotate all credentials and access keys associated with the compromised EC2 instance and any other potentially affected resources.
  • Implement stricter IAM policies and role permissions to limit the scope of access for EC2 instances, ensuring the principle of least privilege is enforced.
  • Notify the security operations team and relevant stakeholders about the incident for further investigation and to initiate any necessary legal or compliance procedures.
  • Enhance monitoring and alerting mechanisms to detect similar patterns of unusual console login activities in the future, ensuring rapid response to potential threats.

References

Related rules

to-top