AWS EC2 Instance Console Login via Assumed Role

  1[metadata]
  2creation_date = "2024/07/24"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/01/16"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects successful AWS Management Console or federation login activity performed using an EC2 instance’s assumed role
 11credentials. EC2 instances typically use temporary credentials to make API calls, not to authenticate interactively via
 12the console. A successful "ConsoleLogin" or "GetSigninToken" event using a session pattern that includes "i-" (the EC2
 13instance ID) is highly anomalous and may indicate that an adversary obtained the instance’s temporary credentials from
 14the instance metadata service (IMDS) and used them to access the console. Such activity can enable lateral movement,
 15privilege escalation, or persistence within the AWS account.
 16"""
 17event_category_override = "event.type"
 18false_positives = [
 19    """
 20    This is very uncommon behavior and should result in minimal false positives, ensure validity of the triggered event
 21    and include exceptions where necessary.
 22    """,
 23]
 24from = "now-6m"
 25index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 26language = "eql"
 27license = "Elastic License v2"
 28name = "AWS EC2 Instance Console Login via Assumed Role"
 29note = """## Triage and analysis
 30
 31### Investigating AWS EC2 Instance Console Login via Assumed Role
 32
 33This rule detects successful AWS console or federation logins using temporary credentials tied to EC2 instance profiles. Under normal conditions, EC2 instances use their temporary credentials for programmatic API access — **not** for interactive console sessions. When an attacker gains access to an instance’s IMDS (Instance Metadata Service) or its environment variables, they may retrieve temporary STS credentials and attempt console logins to gain full access to the AWS account. A successful login of this type is rare and high-risk, as it strongly suggests credential theft or unauthorized session hijacking.
 34
 35#### Possible investigation steps
 36
 37- **Identify the source and actor**
 38  - Review `aws.cloudtrail.user_identity.arn`, `user.id`, and `user_agent.original` fields to confirm the session originated from an EC2 instance (`:i-` pattern).
 39  - Correlate the instance ID (`i-xxxxxx`) with the specific EC2 instance in your environment to identify its owner, purpose, and running applications.
 40  - Check `source.ip` and `cloud.region` to determine if the login originated from within AWS infrastructure (expected) or an external location (suspicious).
 41
 42- **Correlate surrounding activity**
 43  - Pivot in Timeline to view the sequence of events leading up to the login, including:
 44    - STS token retrievals (`GetSessionToken`, `AssumeRole`, `GetCallerIdentity`)
 45    - Calls to the IMDS endpoint or local credential exfiltration attempts from the instance.
 46  - Investigate whether the same role or credentials were used for API actions following the login (e.g., `CreateUser`, `AttachRolePolicy`, or `ListBuckets`).
 47
 48- **Assess IAM role exposure**
 49  - Determine which IAM role was associated with the instance at the time of the event and review its attached permissions.
 50  - Evaluate whether the role grants console access or permissions beyond what that workload normally requires.
 51  - Check for any recent changes to that role’s trust policy or attached policies.
 52
 53- **Validate authorization**
 54  - Contact the EC2 instance owner or service team to confirm if any legitimate process should be logging in to the console.
 55  - If no legitimate activity can explain the login, treat the credentials as compromised.
 56
 57### False positive analysis
 58
 59This is very uncommon behavior.  
 60Known legitimate causes include:
 61- AWS or internal security automation that programmatically initiates console sessions for validation or testing.
 62- Forensic or incident-response automation that logs in using temporary credentials from a compromised instance.
 63- Red-team or penetration-testing activity designed to validate IMDS exposure or lateral movement scenarios.
 64
 65For any other occurrence, treat the alert as potentially malicious.  
 66Validate through:
 67- The originating instance’s purpose and owner.
 68- Known automation patterns in `user_agent.original`.
 69- The timestamp alignment with planned testing or security validation.
 70
 71### Response and remediation
 72
 73- **Immediate containment**
 74  - Revoke the temporary credentials for the affected role (`aws sts revoke-session-token` or rotate the role credentials).
 75  - Isolate the associated EC2 instance (e.g., detach it from the VPC or security groups) to prevent further credential misuse.
 76  - Invalidate active console sessions via AWS CLI or the AWS Console.
 77
 78- **Investigation and scoping**
 79  - Review CloudTrail logs for all actions associated with the compromised role in the preceding 24 hours.
 80  - Determine if additional roles or instances show similar `ConsoleLogin` patterns.
 81  - Search for network indicators of IMDS exploitation (e.g., requests to `169.254.169.254` from unauthorized binaries or users).
 82
 83- **Recovery and hardening**
 84  - Rotate all credentials for affected roles and users.
 85  - Apply IMDSv2 enforcement to prevent credential harvesting from EC2 metadata.
 86  - Implement restrictive IAM policies: deny console access (`iam:PassRole`, `sts:GetFederationToken`) for non-human roles.
 87
 88### Additional information
 89- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
 90- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
 91- **Security Best Practices:** [AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).
 92"""
 93references = [
 94    "https://redcanary.com/blog/aws-sts/",
 95    "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html/",
 96]
 97risk_score = 73
 98rule_id = "d1e5e410-3e34-412e-9b1f-dd500b3b55cd"
 99severity = "high"
100tags = [
101    "Domain: Cloud",
102    "Data Source: AWS",
103    "Data Source: Amazon Web Services",
104    "Data Source: AWS EC2",
105    "Data Source: AWS STS",
106    "Data Source: AWS Sign-In",
107    "Use Case: Identity and Access Audit",
108    "Tactic: Lateral Movement",
109    "Tactic: Credential Access",
110    "Tactic: Persistence",
111    "Resources: Investigation Guide",
112]
113timestamp_override = "event.ingested"
114type = "eql"
115
116query = '''
117info where event.dataset == "aws.cloudtrail"
118   and event.provider == "signin.amazonaws.com"
119   and event.action in ("ConsoleLogin", "GetSigninToken")
120   and event.outcome == "success"
121   and aws.cloudtrail.user_identity.type == "AssumedRole"
122   and stringContains (user.id, ":i-")
123'''
124
125
126[[rule.threat]]
127framework = "MITRE ATT&CK"
128[[rule.threat.technique]]
129id = "T1021"
130name = "Remote Services"
131reference = "https://attack.mitre.org/techniques/T1021/"
132[[rule.threat.technique.subtechnique]]
133id = "T1021.007"
134name = "Cloud Services"
135reference = "https://attack.mitre.org/techniques/T1021/007/"
136
137
138[[rule.threat.technique]]
139id = "T1550"
140name = "Use Alternate Authentication Material"
141reference = "https://attack.mitre.org/techniques/T1550/"
142[[rule.threat.technique.subtechnique]]
143id = "T1550.001"
144name = "Application Access Token"
145reference = "https://attack.mitre.org/techniques/T1550/001/"
146
147
148
149[rule.threat.tactic]
150id = "TA0008"
151name = "Lateral Movement"
152reference = "https://attack.mitre.org/tactics/TA0008/"
153[[rule.threat]]
154framework = "MITRE ATT&CK"
155[[rule.threat.technique]]
156id = "T1078"
157name = "Valid Accounts"
158reference = "https://attack.mitre.org/techniques/T1078/"
159[[rule.threat.technique.subtechnique]]
160id = "T1078.004"
161name = "Cloud Accounts"
162reference = "https://attack.mitre.org/techniques/T1078/004/"
163
164
165
166[rule.threat.tactic]
167id = "TA0003"
168name = "Persistence"
169reference = "https://attack.mitre.org/tactics/TA0003/"
170[[rule.threat]]
171framework = "MITRE ATT&CK"
172[[rule.threat.technique]]
173id = "T1552"
174name = "Unsecured Credentials"
175reference = "https://attack.mitre.org/techniques/T1552/"
176[[rule.threat.technique.subtechnique]]
177id = "T1552.005"
178name = "Cloud Instance Metadata API"
179reference = "https://attack.mitre.org/techniques/T1552/005/"
180
181
182
183[rule.threat.tactic]
184id = "TA0006"
185name = "Credential Access"
186reference = "https://attack.mitre.org/tactics/TA0006/"
187
188[rule.investigation_fields]
189field_names = [
190    "@timestamp",
191    "user.name",
192    "user_agent.original",
193    "source.ip",
194    "aws.cloudtrail.user_identity.arn",
195    "aws.cloudtrail.user_identity.type",
196    "aws.cloudtrail.user_identity.access_key_id",
197    "event.action",
198    "event.outcome",
199    "cloud.account.id",
200    "cloud.region",
201    "aws.cloudtrail.response_elements",
202]