AWS IAM Login Profile Added for Root

  1[metadata]
  2creation_date = "2024/12/02"
  3integration = ["aws"]
  4maturity = "production"
  5min_stack_comments = "ES|QL available in technical preview."
  6min_stack_version = "8.13.0"
  7updated_date = "2024/12/02"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Detects when an AWS IAM login profile is added to a root user account and is self-assigned. Adversaries, with temporary
 13access to the root account, may add a login profile to the root user account to maintain access even if the original
 14access key is rotated or disabled.
 15"""
 16from = "now-9m"
 17language = "esql"
 18license = "Elastic License v2"
 19name = "AWS IAM Login Profile Added for Root"
 20note = """
 21## Investigating AWS IAM Login Profile Added for Root
 22
 23This rule detects when a login profile is added to the AWS root account. Adding a login profile to the root account, especially if self-assigned, is highly suspicious as it might indicate an adversary trying to establish persistence in the environment.
 24
 25### Possible Investigation Steps
 26
 27- **Identify the Source and Context of the Action**:
 28    - Examine the `source.address` field to identify the IP address from which the request originated.
 29        - Check the geographic location (`source.address`) to determine if the access is from an expected or unexpected region.
 30    - Look at the `user_agent.original` field to identify the tool or browser used for this action.
 31        - For example, a user agent like `Mozilla/5.0` might indicate interactive access, whereas `aws-cli` or SDKs suggest scripted activity.
 32
 33- **Confirm Root User and Request Details**:
 34    - Validate the root user's identity through `aws.cloudtrail.user_identity.arn` and ensure this activity aligns with legitimate administrative actions.
 35    - Review `aws.cloudtrail.user_identity.access_key_id` to identify if the action was performed using temporary or permanent credentials. This access key could be used to pivot into other actions.
 36
 37- **Analyze the Login Profile Creation**:
 38    - Review the `aws.cloudtrail.request_parameters` and `aws.cloudtrail.response_elements` fields for details of the created login profile.
 39        - For example, confirm the `userName` of the profile and whether `passwordResetRequired` is set to `true`.
 40    - Compare the `@timestamp` of this event with other recent actions by the root account to identify potential privilege escalation or abuse.
 41
 42- **Correlate with Other Events**:
 43    - Investigate for related IAM activities, such as:
 44        - `CreateAccessKey` or `AttachUserPolicy` events targeting the root account.
 45        - Unusual data access, privilege escalation, or management console logins.
 46    - Check for any anomalies involving the same `source.address` or `aws.cloudtrail.user_identity.access_key_id` in the environment.
 47
 48- **Evaluate Policy and Permissions**:
 49    - Verify the current security policies for the root account:
 50        - Ensure password policies enforce complexity and rotation requirements.
 51        - Check if MFA is enforced on the root account.
 52    - Assess the broader IAM configuration for deviations from least privilege principles.
 53
 54### False Positive Analysis
 55
 56- **Routine Administrative Tasks**: Adding a login profile might be a legitimate action during certain administrative processes. Verify with the relevant AWS administrators if this event aligns with routine account maintenance or emergency recovery scenarios.
 57
 58- **Automation**: If the action is part of an approved automation process (e.g., account recovery workflows), consider excluding these activities from alerting using specific user agents, IP addresses, or session attributes.
 59
 60### Response and Remediation
 61
 62- **Immediate Access Review**:
 63    - Disable the newly created login profile (`aws iam delete-login-profile`) if it is determined to be unauthorized.
 64    - Rotate or disable the credentials associated with the root account to prevent further abuse.
 65
 66- **Enhance Monitoring and Alerts**:
 67    - Enable real-time monitoring and alerting for IAM actions involving the root account.
 68    - Increase the logging verbosity for root account activities.
 69
 70- **Review and Update Security Policies**:
 71    - Enforce MFA for all administrative actions, including root account usage.
 72    - Restrict programmatic access to the root account by disabling access keys unless absolutely necessary.
 73
 74- **Conduct Post-Incident Analysis**:
 75    - Investigate how the credentials for the root account were compromised or misused.
 76    - Strengthen the security posture by implementing account-specific guardrails and continuous monitoring.
 77
 78### Additional Resources
 79
 80- AWS documentation on [Login Profile Management](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateLoginProfile.html).
 81"""
 82risk_score = 73
 83rule_id = "c04be7e0-b0fc-11ef-a826-f661ea17fbce"
 84severity = "high"
 85tags = [
 86    "Domain: Cloud",
 87    "Data Source: AWS",
 88    "Data Source: Amazon Web Services",
 89    "Data Source: AWS IAM",
 90    "Use Case: Identity and Access Audit",
 91    "Tactic: Persistence",
 92    "Resources: Investigation Guide",
 93]
 94timestamp_override = "event.ingested"
 95type = "esql"
 96
 97query = '''
 98from logs-aws.cloudtrail* metadata _id, _version, _index
 99| where
100    // filter for CloudTrail logs from IAM
101    event.dataset == "aws.cloudtrail"
102    and event.provider == "iam.amazonaws.com"
103
104    // filter for successful CreateLoginProfile API call
105    and event.action == "CreateLoginProfile"
106    and event.outcome == "success"
107
108    // filter for Root member account
109    and aws.cloudtrail.user_identity.type == "Root"
110
111    // filter for an access key existing which sources from AssumeRoot
112    and aws.cloudtrail.user_identity.access_key_id IS NOT NULL
113
114    // filter on the request parameters not including UserName which assumes self-assignment
115    and NOT TO_LOWER(aws.cloudtrail.request_parameters) LIKE "*username*"
116| keep
117    @timestamp,
118    aws.cloudtrail.request_parameters,
119    aws.cloudtrail.response_elements,
120    aws.cloudtrail.user_identity.type,
121    aws.cloudtrail.user_identity.arn,
122    aws.cloudtrail.user_identity.access_key_id,
123    cloud.account.id,
124    event.action,
125    source.address
126'''
127
128
129[[rule.threat]]
130framework = "MITRE ATT&CK"
131[[rule.threat.technique]]
132id = "T1078"
133name = "Valid Accounts"
134reference = "https://attack.mitre.org/techniques/T1078/"
135[[rule.threat.technique.subtechnique]]
136id = "T1078.004"
137name = "Cloud Accounts"
138reference = "https://attack.mitre.org/techniques/T1078/004/"
139
140
141[[rule.threat.technique]]
142id = "T1098"
143name = "Account Manipulation"
144reference = "https://attack.mitre.org/techniques/T1098/"
145
146
147[rule.threat.tactic]
148id = "TA0003"
149name = "Persistence"
150reference = "https://attack.mitre.org/tactics/TA0003/"