AWS IAM Login Profile Added for Root

  1[metadata]
  2creation_date = "2024/12/02"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects when an AWS IAM login profile is added to a root user account and is self-assigned. Adversaries, with temporary
 11access to the root account, may add a login profile to the root user account to maintain access even if the original
 12access key is rotated or disabled.
 13"""
 14from = "now-9m"
 15language = "esql"
 16license = "Elastic License v2"
 17name = "AWS IAM Login Profile Added for Root"
 18note = """## Triage and analysis
 19
 20> **Disclaimer**:
 21> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 22
 23### Investigating AWS IAM Login Profile Added for Root
 24
 25AWS IAM allows management of user access and permissions within AWS environments. A login profile enables console access using a password. Adversaries may exploit temporary root access to create a login profile, ensuring persistent access even if keys are rotated. The detection rule identifies such actions by monitoring specific API calls and conditions, flagging unauthorized profile additions to root accounts.
 26
 27### Possible investigation steps
 28
 29- Review the @timestamp field to determine when the CreateLoginProfile action occurred and correlate it with any other suspicious activities around the same time.
 30- Examine the aws.cloudtrail.user_identity.arn and aws.cloudtrail.user_identity.access_key_id fields to identify the specific root account and access key involved in the action.
 31- Investigate the source.address field to trace the IP address from which the CreateLoginProfile request originated, checking for any unusual or unauthorized locations.
 32- Analyze the aws.cloudtrail.request_parameters and aws.cloudtrail.response_elements fields to understand the specifics of the login profile creation and verify if any unexpected parameters were used.
 33- Check the cloud.account.id to confirm which AWS account was affected and assess if there are any other security incidents or alerts associated with this account.
 34- Review the event.action field to ensure that no other unauthorized actions were performed by the root account around the same time.
 35
 36### False positive analysis
 37
 38- Administrative actions by trusted personnel may trigger the rule if they are performing legitimate maintenance or security tasks. To manage this, create exceptions for known administrative accounts by filtering their access key IDs.
 39- Automated scripts or tools used for account management might inadvertently match the rule's conditions. Identify these scripts and exclude their specific access key IDs or user agents from the detection criteria.
 40- Testing environments where root access is used for simulation or development purposes can cause false positives. Implement a tagging system for test environments and exclude logs with these tags from triggering the rule.
 41- Third-party integrations that require root access for initial setup or configuration might be flagged. Document these integrations and adjust the rule to recognize and exclude their specific access patterns.
 42
 43### Response and remediation
 44
 45- Immediately revoke any active sessions and access keys associated with the root account to prevent further unauthorized access.
 46- Reset the root account password and ensure that multi-factor authentication (MFA) is enabled for the root user to enhance security.
 47- Review AWS CloudTrail logs to identify any other suspicious activities or changes made by the root account during the time of the incident.
 48- Conduct a thorough audit of IAM policies and permissions to ensure that no other unauthorized changes have been made and that least privilege principles are enforced.
 49- Notify the security operations team and relevant stakeholders about the incident for further investigation and to ensure awareness across the organization.
 50- Implement additional monitoring and alerting for root account activities to detect any future unauthorized access attempts promptly.
 51- Consider engaging AWS Support or a third-party security expert if the incident's scope is beyond internal capabilities or if further forensic analysis is required.
 52
 53## Investigating AWS IAM Login Profile Added for Root
 54
 55This rule detects when a login profile is added to the AWS root account. Adding a login profile to the root account, especially if self-assigned, is highly suspicious as it might indicate an adversary trying to establish persistence in the environment.
 56
 57### Possible Investigation Steps
 58
 59- **Identify the Source and Context of the Action**:
 60    - Examine the `source.address` field to identify the IP address from which the request originated.
 61        - Check the geographic location (`source.address`) to determine if the access is from an expected or unexpected region.
 62    - Look at the `user_agent.original` field to identify the tool or browser used for this action.
 63        - For example, a user agent like `Mozilla/5.0` might indicate interactive access, whereas `aws-cli` or SDKs suggest scripted activity.
 64
 65- **Confirm Root User and Request Details**:
 66    - Validate the root user's identity through `aws.cloudtrail.user_identity.arn` and ensure this activity aligns with legitimate administrative actions.
 67    - Review `aws.cloudtrail.user_identity.access_key_id` to identify if the action was performed using temporary or permanent credentials. This access key could be used to pivot into other actions.
 68
 69- **Analyze the Login Profile Creation**:
 70    - Review the `aws.cloudtrail.request_parameters` and `aws.cloudtrail.response_elements` fields for details of the created login profile.
 71        - For example, confirm the `userName` of the profile and whether `passwordResetRequired` is set to `true`.
 72    - Compare the `@timestamp` of this event with other recent actions by the root account to identify potential privilege escalation or abuse.
 73
 74- **Correlate with Other Events**:
 75    - Investigate for related IAM activities, such as:
 76        - `CreateAccessKey` or `AttachUserPolicy` events targeting the root account.
 77        - Unusual data access, privilege escalation, or management console logins.
 78    - Check for any anomalies involving the same `source.address` or `aws.cloudtrail.user_identity.access_key_id` in the environment.
 79
 80- **Evaluate Policy and Permissions**:
 81    - Verify the current security policies for the root account:
 82        - Ensure password policies enforce complexity and rotation requirements.
 83        - Check if MFA is enforced on the root account.
 84    - Assess the broader IAM configuration for deviations from least privilege principles.
 85
 86### False Positive Analysis
 87
 88- **Routine Administrative Tasks**: Adding a login profile might be a legitimate action during certain administrative processes. Verify with the relevant AWS administrators if this event aligns with routine account maintenance or emergency recovery scenarios.
 89
 90- **Automation**: If the action is part of an approved automation process (e.g., account recovery workflows), consider excluding these activities from alerting using specific user agents, IP addresses, or session attributes.
 91
 92### Response and Remediation
 93
 94- **Immediate Access Review**:
 95    - Disable the newly created login profile (`aws iam delete-login-profile`) if it is determined to be unauthorized.
 96    - Rotate or disable the credentials associated with the root account to prevent further abuse.
 97
 98- **Enhance Monitoring and Alerts**:
 99    - Enable real-time monitoring and alerting for IAM actions involving the root account.
100    - Increase the logging verbosity for root account activities.
101
102- **Review and Update Security Policies**:
103    - Enforce MFA for all administrative actions, including root account usage.
104    - Restrict programmatic access to the root account by disabling access keys unless absolutely necessary.
105
106- **Conduct Post-Incident Analysis**:
107    - Investigate how the credentials for the root account were compromised or misused.
108    - Strengthen the security posture by implementing account-specific guardrails and continuous monitoring.
109
110### Additional Resources
111
112- AWS documentation on [Login Profile Management](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateLoginProfile.html).
113"""
114risk_score = 73
115rule_id = "c04be7e0-b0fc-11ef-a826-f661ea17fbce"
116severity = "high"
117tags = [
118    "Domain: Cloud",
119    "Data Source: AWS",
120    "Data Source: Amazon Web Services",
121    "Data Source: AWS IAM",
122    "Use Case: Identity and Access Audit",
123    "Tactic: Persistence",
124    "Resources: Investigation Guide",
125]
126timestamp_override = "event.ingested"
127type = "esql"
128
129query = '''
130from logs-aws.cloudtrail* metadata _id, _version, _index
131| where
132    // filter for CloudTrail logs from IAM
133    event.dataset == "aws.cloudtrail"
134    and event.provider == "iam.amazonaws.com"
135
136    // filter for successful CreateLoginProfile API call
137    and event.action == "CreateLoginProfile"
138    and event.outcome == "success"
139
140    // filter for Root member account
141    and aws.cloudtrail.user_identity.type == "Root"
142
143    // filter for an access key existing which sources from AssumeRoot
144    and aws.cloudtrail.user_identity.access_key_id IS NOT NULL
145
146    // filter on the request parameters not including UserName which assumes self-assignment
147    and NOT TO_LOWER(aws.cloudtrail.request_parameters) LIKE "*username*"
148| keep
149    @timestamp,
150    aws.cloudtrail.request_parameters,
151    aws.cloudtrail.response_elements,
152    aws.cloudtrail.user_identity.type,
153    aws.cloudtrail.user_identity.arn,
154    aws.cloudtrail.user_identity.access_key_id,
155    cloud.account.id,
156    event.action,
157    source.address
158'''
159
160
161[[rule.threat]]
162framework = "MITRE ATT&CK"
163[[rule.threat.technique]]
164id = "T1078"
165name = "Valid Accounts"
166reference = "https://attack.mitre.org/techniques/T1078/"
167[[rule.threat.technique.subtechnique]]
168id = "T1078.004"
169name = "Cloud Accounts"
170reference = "https://attack.mitre.org/techniques/T1078/004/"
171
172
173[[rule.threat.technique]]
174id = "T1098"
175name = "Account Manipulation"
176reference = "https://attack.mitre.org/techniques/T1098/"
177
178
179[rule.threat.tactic]
180id = "TA0003"
181name = "Persistence"
182reference = "https://attack.mitre.org/tactics/TA0003/"